Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
eszstwQPwq.ps1

Overview

General Information

Sample name:eszstwQPwq.ps1
renamed because original name is a hash value
Original sample name:82d89a75d80e80e4be42c9eb79e401558c9fa3175648cd0c0467f2de1a07a908.ps1
Analysis ID:1579862
MD5:d96d2bcf13d55740f3bb64d45d2db94d
SHA1:4ded4b1d4866a4adf534f5a4eb66386465fe3120
SHA256:82d89a75d80e80e4be42c9eb79e401558c9fa3175648cd0c0467f2de1a07a908
Tags:lockbitlockbit40powershellps1ransomwareuser-TheRavenFile
Infos:

Detection

LockBit ransomware, Metasploit
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found post-exploitation toolkit Empire
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected LockBit ransomware
Yara detected MetasploitPayload
AI detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Suspicious PowerShell Parameter Substring
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • powershell.exe (PID: 1408 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\eszstwQPwq.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 2056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4488 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\eszstwQPwq.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WerFault.exe (PID: 1852 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 2896 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000004.00000002.3772406030.0000000010016000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
    00000004.00000002.3772406030.0000000010016000.00000020.00001000.00020000.00000000.sdmpWindows_Ransomware_Lockbit_369e1e94unknownunknown
    • 0x141:$a1: 66 83 F8 61 72 0C 66 83 F8 66 77 06 66 83 E8 57 EB 14 66 83 F8 30 72 0C 66 83 F8 39 77 06 66 83 E8 30 EB 02
    • 0x188:$a1: 66 83 F8 61 72 0C 66 83 F8 66 77 06 66 83 E8 57 EB 17 66 83 F8 30 72 0C 66 83 F8 39 77 06 66 83 E8 30 EB 05
    • 0x3bd:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00
    00000004.00000002.3723941905.0000000005DAA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_1Yara detected MetasploitPayloadJoe Security
      00000004.00000002.3723941905.0000000005DAA000.00000004.00000800.00020000.00000000.sdmpWindows_Hacktool_Mimikatz_355d5d3aDetection for Invoke-Mimikatzunknown
      • 0x150db:$b2: -MemoryAddress $GetCommandLineWAddrTemp
      • 0x15232:$b2: -MemoryAddress $GetCommandLineWAddrTemp
      • 0x14d6d:$b3: -MemoryAddress $GetCommandLineAAddrTemp
      • 0x14ec4:$b3: -MemoryAddress $GetCommandLineAAddrTemp
      00000004.00000002.3723941905.0000000005DAA000.00000004.00000800.00020000.00000000.sdmpEmpire_Invoke_GenDetects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1Florian Roth
      • 0x14900:$s1: $Shellcode1 += 0x48
      • 0x17fd0:$s2: $PEHandle = [IntPtr]::Zero
      • 0x1a954:$s2: $PEHandle = [IntPtr]::Zero
      Click to see the 12 entries

      System Summary

      barindex
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\eszstwQPwq.ps1 , CommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\eszstwQPwq.ps1 , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\eszstwQPwq.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1408, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\eszstwQPwq.ps1 , ProcessId: 4488, ProcessName: powershell.exe
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\eszstwQPwq.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\eszstwQPwq.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\eszstwQPwq.ps1", ProcessId: 1408, ProcessName: powershell.exe
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\eszstwQPwq.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\eszstwQPwq.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\eszstwQPwq.ps1", ProcessId: 1408, ProcessName: powershell.exe
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: eszstwQPwq.ps1ReversingLabs: Detection: 28%
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.9% probability
      Source: Binary string: System.Configuration.Install.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Data.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.3694831683.0000000002FC5000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Data.ni.pdbRSDSz}foQ source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbW source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: v)o.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb* source: powershell.exe, 00000004.00000002.3765288303.000000000932A000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Numerics.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.DirectoryServices.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb( source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.SecureBoot.Commands.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER460.tmp.dmp.8.dr
      Source: Binary string: mscorlib.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER460.tmp.dmp.8.dr
      Source: Binary string: mscorlib.pdberShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: symbols\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: System.DirectoryServices.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbz source: powershell.exe, 00000004.00000002.3694831683.0000000003082000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.PowerShell.Commands.Management.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: mscorlib.ni.pdbRSDS source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Configuration.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Data.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: mscorlib.pdb, source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Configuration.Install.pdbP source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Management.Automation.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.SecureBoot.Commands.pdbx source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.3736434903.00000000072B0000.00000004.00000020.00020000.00000000.sdmp, WER460.tmp.dmp.8.dr
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.3736434903.00000000072B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp, WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Management.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.ni.pdbRSDSl source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Management.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbf( source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbMr source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbvU source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Numerics.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbV source: powershell.exe, 00000004.00000002.3765288303.000000000932A000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Data.pdb, source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl, source: powershell.exe, 00000004.00000002.3765288303.00000000092E2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.pdb$XTA source: WER460.tmp.dmp.8.dr
      Source: Binary string: 0u)oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb_3< source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.pdbA source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdbL source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER460.tmp.dmp.8.dr
      Source: Binary string: C:\Windows\System.Core.pdbpdbore.pdb source: powershell.exe, 00000004.00000002.3694831683.0000000003082000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbe source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Xml.ni.pdbRSDS# source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Core.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Transactions.ni.pdbRSDSc source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.ni.pdbRSDSw source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER460.tmp.dmp.8.dr
      Source: Binary string: erShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: System.Configuration.Install.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbfid source: powershell.exe, 00000004.00000002.3765288303.00000000092E2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: o0C:\Windows\mscorlib.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32tions.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Object[])gement.Automation.InvocationInfo, System.Object[]) source: powershell.exe, 00000004.00000002.3765288303.000000000932A000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Xml.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.PowerShell.Security.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdbdk"I source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Configuration.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.WindowsAuthenticationProtocols.Commands.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Xml.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb)r source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: %%.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbe source: powershell.exe, 00000004.00000002.3765288303.000000000932A000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.WindowsAuthenticationProtocols.Commands.pdb@ source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Configuration.pdb8"rl8"rl= source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Core.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Transactions.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\mscorlib.pdbu source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Transactions.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Management.pdbD source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Core.ni.pdbRSDS source: WER460.tmp.dmp.8.dr
      Source: powershell.exe, 00000004.00000002.3736434903.0000000007326000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
      Source: powershell.exe, 00000002.00000002.3553675919.000001ADD2B3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3518249289.000001ADC45F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3723941905.0000000005DEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000004.00000002.3697190916.0000000004DB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000004.00000002.3697190916.0000000004DB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 00000002.00000002.3518249289.000001ADC2781000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3697190916.0000000004BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000004.00000002.3697190916.0000000004DB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
      Source: powershell.exe, 00000002.00000002.3518249289.000001ADC415A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: powershell.exe, 00000004.00000002.3697190916.0000000004DB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000004.00000002.3697190916.0000000004BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
      Source: powershell.exe, 00000002.00000002.3518249289.000001ADC2781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000004.00000002.3697190916.0000000004DB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
      Source: powershell.exe, 00000004.00000002.3723941905.0000000005DEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000004.00000002.3723941905.0000000005DEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000004.00000002.3723941905.0000000005DEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000004.00000002.3697190916.0000000004DB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000002.00000002.3553675919.000001ADD2B3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3518249289.000001ADC45F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3723941905.0000000005DEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000002.00000002.3518249289.000001ADC415A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Source: Yara matchFile source: 00000004.00000002.3772406030.0000000010016000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.3723941905.0000000006111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

      System Summary

      barindex
      Source: 00000004.00000002.3772406030.0000000010016000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
      Source: 00000004.00000002.3723941905.0000000005DAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detection for Invoke-Mimikatz Author: unknown
      Source: 00000004.00000002.3723941905.0000000005DAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
      Source: 00000004.00000002.3723941905.0000000005DAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
      Source: 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
      Source: 00000004.00000002.3723941905.0000000006111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
      Source: Process Memory Space: powershell.exe PID: 4488, type: MEMORYSTRMatched rule: Detection for Invoke-Mimikatz Author: unknown
      Source: Process Memory Space: powershell.exe PID: 4488, type: MEMORYSTRMatched rule: Detects obfuscated PowerShell Code Author: Florian Roth
      Source: Process Memory Space: powershell.exe PID: 4488, type: MEMORYSTRMatched rule: Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
      Source: Process Memory Space: powershell.exe PID: 4488, type: MEMORYSTRMatched rule: Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
      Source: Process Memory Space: powershell.exe PID: 4488, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_073D91984_2_073D9198
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_096C98104_2_096C9810
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_096CC7604_2_096CC760
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0984D6604_2_0984D660
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 2896
      Source: 00000004.00000002.3772406030.0000000010016000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
      Source: 00000004.00000002.3723941905.0000000005DAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Hacktool_Mimikatz_355d5d3a reference_sample = 945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96, os = windows, severity = x86, description = Detection for Invoke-Mimikatz, creation_date = 2021-04-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Hacktool.Mimikatz, fingerprint = 9a23845ec9852d2490171af111612dc257a6b21ad7fdfd8bf22d343dc301d135, id = 355d5d3a-e50e-4614-9a84-0da668c40852, last_modified = 2021-08-23
      Source: 00000004.00000002.3723941905.0000000005DAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Empire_Invoke_Gen date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28
      Source: 00000004.00000002.3723941905.0000000005DAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Empire_PowerShell_Framework_Gen5 date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = 1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8
      Source: 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
      Source: 00000004.00000002.3723941905.0000000006111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
      Source: Process Memory Space: powershell.exe PID: 4488, type: MEMORYSTRMatched rule: Windows_Hacktool_Mimikatz_355d5d3a reference_sample = 945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96, os = windows, severity = x86, description = Detection for Invoke-Mimikatz, creation_date = 2021-04-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Hacktool.Mimikatz, fingerprint = 9a23845ec9852d2490171af111612dc257a6b21ad7fdfd8bf22d343dc301d135, id = 355d5d3a-e50e-4614-9a84-0da668c40852, last_modified = 2021-08-23
      Source: Process Memory Space: powershell.exe PID: 4488, type: MEMORYSTRMatched rule: SUSP_Obfuscted_PowerShell_Code date = 2018-12-13, author = Florian Roth, description = Detects obfuscated PowerShell Code, reference = https://twitter.com/silv0123/status/1073072691584880640
      Source: Process Memory Space: powershell.exe PID: 4488, type: MEMORYSTRMatched rule: Empire_Invoke_Gen date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28
      Source: Process Memory Space: powershell.exe PID: 4488, type: MEMORYSTRMatched rule: Empire_PowerShell_Framework_Gen5 date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = 1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8
      Source: Process Memory Space: powershell.exe PID: 4488, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: classification engineClassification label: mal92.rans.troj.spyw.winPS1@6/15@0/0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2056:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5568:120:WilError_03
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4488
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hj01ibwg.2ce.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: eszstwQPwq.ps1ReversingLabs: Detection: 28%
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\eszstwQPwq.ps1"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\eszstwQPwq.ps1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 2896
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\eszstwQPwq.ps1 Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: System.Configuration.Install.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Data.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.3694831683.0000000002FC5000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Data.ni.pdbRSDSz}foQ source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbW source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: v)o.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb* source: powershell.exe, 00000004.00000002.3765288303.000000000932A000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Numerics.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.DirectoryServices.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb( source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.SecureBoot.Commands.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER460.tmp.dmp.8.dr
      Source: Binary string: mscorlib.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER460.tmp.dmp.8.dr
      Source: Binary string: mscorlib.pdberShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: symbols\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: System.DirectoryServices.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbz source: powershell.exe, 00000004.00000002.3694831683.0000000003082000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.PowerShell.Commands.Management.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: mscorlib.ni.pdbRSDS source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Configuration.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Data.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: mscorlib.pdb, source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Configuration.Install.pdbP source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Management.Automation.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.SecureBoot.Commands.pdbx source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.3736434903.00000000072B0000.00000004.00000020.00020000.00000000.sdmp, WER460.tmp.dmp.8.dr
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.3736434903.00000000072B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp, WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Management.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.ni.pdbRSDSl source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Management.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbf( source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbMr source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbvU source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Numerics.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbV source: powershell.exe, 00000004.00000002.3765288303.000000000932A000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Data.pdb, source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl, source: powershell.exe, 00000004.00000002.3765288303.00000000092E2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.pdb$XTA source: WER460.tmp.dmp.8.dr
      Source: Binary string: 0u)oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb_3< source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.pdbA source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdbL source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER460.tmp.dmp.8.dr
      Source: Binary string: C:\Windows\System.Core.pdbpdbore.pdb source: powershell.exe, 00000004.00000002.3694831683.0000000003082000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbe source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Xml.ni.pdbRSDS# source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Core.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Transactions.ni.pdbRSDSc source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.ni.pdbRSDSw source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER460.tmp.dmp.8.dr
      Source: Binary string: erShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: System.Configuration.Install.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbfid source: powershell.exe, 00000004.00000002.3765288303.00000000092E2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: o0C:\Windows\mscorlib.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32tions.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Object[])gement.Automation.InvocationInfo, System.Object[]) source: powershell.exe, 00000004.00000002.3765288303.000000000932A000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Xml.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.PowerShell.Security.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdbdk"I source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Configuration.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.WindowsAuthenticationProtocols.Commands.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Xml.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb)r source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: %%.pdb source: powershell.exe, 00000004.00000002.3741684886.0000000007FA4000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbe source: powershell.exe, 00000004.00000002.3765288303.000000000932A000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.WindowsAuthenticationProtocols.Commands.pdb@ source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Configuration.pdb8"rl8"rl= source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Core.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Transactions.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: \??\C:\Windows\mscorlib.pdbu source: powershell.exe, 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Transactions.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.ni.pdb source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Management.pdbD source: WER460.tmp.dmp.8.dr
      Source: Binary string: System.Core.ni.pdbRSDS source: WER460.tmp.dmp.8.dr
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_046E1544 push cs; ret 4_2_046E14F7
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_046E031D push ss; ret 4_2_046E0327
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_046E0D9D push ds; ret 4_2_046E0DA7
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_046E28ED push eax; ret 4_2_046E28F1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_046EBA24 push es; iretd 4_2_046EBA33
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_046E1B8D push eax; iretd 4_2_046E1B9B
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_046E1B85 push eax; iretd 4_2_046E1B9B
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_096C8CE0 push esp; ret 4_2_096C92D3
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_09841871 push 000000C3h; ret 4_2_09841933
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_09841B40 push 76E8CE8Bh; retf 4_2_09841B47
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_09846DC8 push 000000C3h; ret 4_2_09846DF3
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_098464F9 push 000000C3h; ret 4_2_0984651B
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_09841C0C pushad ; ret 4_2_09841C13
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_09841C2D push esp; ret 4_2_09841C33
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_09846451 push 000000C3h; ret 4_2_09846483
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_09843790 push 000000C3h; ret 4_2_098437DB
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0984DFA0 push esp; ret 4_2_0984DFF3
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_09847650 pushad ; ret 4_2_09847663
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_09849E69 pushad ; ret 4_2_09849E93
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_09849E69 push esp; ret 4_2_09849EB3
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0987A1DD push 8BD68B50h; retf 4_2_0987A1E2
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0987A176 push esi; iretd 4_2_0987A177
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_09879775 push 8BD78B50h; retf 4_2_0987977A

      Hooking and other Techniques for Hiding and Protection

      barindex
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2632Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5501Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6548Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3012Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5468Thread sleep time: -6456360425798339s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6996Thread sleep time: -2767011611056431s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3148Thread sleep time: -6456360425798339s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: Amcache.hve.8.drBinary or memory string: VMware
      Source: powershell.exe, 00000004.00000002.3697190916.0000000004DB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
      Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
      Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
      Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
      Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
      Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
      Source: powershell.exe, 00000004.00000002.3697190916.0000000004DB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.8.drBinary or memory string: vmci.sys
      Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
      Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
      Source: Amcache.hve.8.drBinary or memory string: VMware-42 27 6e d0 59 6b 97 52-b4 9a 7f 42 1f 0e 66 9c
      Source: powershell.exe, 00000004.00000002.3697190916.0000000004DB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.8.drBinary or memory string: VMware20,1
      Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
      Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
      Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
      Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
      Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
      Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
      Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
      Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
      Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
      Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
      Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\eszstwQPwq.ps1 Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.3031.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.3208.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
      Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
      Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
      Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
      Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
      Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

      Remote Access Functionality

      barindex
      Source: powershell.exe, 00000004.00000002.3723941905.0000000006111000.00000004.00000800.00020000.00000000.sdmpMemory string: $Shellcode1 += 0x48
      Source: powershell.exe, 00000004.00000002.3723941905.0000000006111000.00000004.00000800.00020000.00000000.sdmpMemory string: $PEHandle = [IntPtr]::Zero
      Source: Yara matchFile source: 00000004.00000002.3723941905.0000000005DAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.3723941905.0000000005DEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4488, type: MEMORYSTR
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      DLL Side-Loading
      11
      Process Injection
      31
      Virtualization/Sandbox Evasion
      OS Credential Dumping21
      Security Software Discovery
      Remote Services1
      Archive Collected Data
      1
      Encrypted Channel
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading
      11
      Process Injection
      LSASS Memory1
      Process Discovery
      Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      DLL Side-Loading
      Security Account Manager31
      Virtualization/Sandbox Evasion
      SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Obfuscated Files or Information
      NTDS1
      Application Window Discovery
      Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
      File and Directory Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
      System Information Discovery
      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579862 Sample: eszstwQPwq.ps1 Startdate: 23/12/2024 Architecture: WINDOWS Score: 92 18 Malicious sample detected (through community Yara rule) 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected MetasploitPayload 2->22 24 3 other signatures 2->24 7 powershell.exe 15 2->7         started        process3 process4 9 powershell.exe 23 7->9         started        12 conhost.exe 7->12         started        signatures5 26 Found post-exploitation toolkit Empire 9->26 28 Loading BitLocker PowerShell Module 9->28 14 WerFault.exe 20 16 9->14         started        16 conhost.exe 9->16         started        process6

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      eszstwQPwq.ps129%ReversingLabsScript-PowerShell.Trojan.Lockbit
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      NameIPActiveMaliciousAntivirus DetectionReputation
      bg.microsoft.map.fastly.net
      199.232.210.172
      truefalse
        high
        fp2e7a.wpc.phicdn.net
        192.229.221.95
        truefalse
          high
          NameSourceMaliciousAntivirus DetectionReputation
          http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.3553675919.000001ADD2B3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3518249289.000001ADC45F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3723941905.0000000005DEF000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000002.00000002.3518249289.000001ADC415A000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000004.00000002.3697190916.0000000004DB2000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.3697190916.0000000004DB2000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000004.00000002.3697190916.0000000004DB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://crl.microsoftpowershell.exe, 00000004.00000002.3736434903.0000000007326000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.3697190916.0000000004DB2000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000004.00000002.3697190916.0000000004DB2000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://contoso.com/powershell.exe, 00000004.00000002.3723941905.0000000005DEF000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.3553675919.000001ADD2B3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3518249289.000001ADC45F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3723941905.0000000005DEF000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://contoso.com/Licensepowershell.exe, 00000004.00000002.3723941905.0000000005DEF000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://contoso.com/Iconpowershell.exe, 00000004.00000002.3723941905.0000000005DEF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://upx.sf.netAmcache.hve.8.drfalse
                                    high
                                    https://aka.ms/pscore6powershell.exe, 00000004.00000002.3697190916.0000000004BC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://aka.ms/pscore68powershell.exe, 00000002.00000002.3518249289.000001ADC2781000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.3518249289.000001ADC2781000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3697190916.0000000004BC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.3697190916.0000000004DB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://oneget.orgpowershell.exe, 00000002.00000002.3518249289.000001ADC415A000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              No contacted IP infos
                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1579862
                                              Start date and time:2024-12-23 12:33:14 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 6m 49s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:10
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:eszstwQPwq.ps1
                                              renamed because original name is a hash value
                                              Original Sample Name:82d89a75d80e80e4be42c9eb79e401558c9fa3175648cd0c0467f2de1a07a908.ps1
                                              Detection:MAL
                                              Classification:mal92.rans.troj.spyw.winPS1@6/15@0/0
                                              EGA Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 31
                                              • Number of non-executed functions: 8
                                              Cookbook Comments:
                                              • Found application associated with file extension: .ps1
                                              • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.109.210.53, 13.107.246.63, 20.190.147.1
                                              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, ocsp.edge.digicert.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net
                                              • Execution Graph export aborted for target powershell.exe, PID 1408 because it is empty
                                              • Execution Graph export aborted for target powershell.exe, PID 4488 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                              • Report size getting too big, too many NtSetInformationFile calls found.
                                              • VT rate limit hit for: eszstwQPwq.ps1
                                              TimeTypeDescription
                                              06:36:11API Interceptor41x Sleep call for process: powershell.exe modified
                                              06:36:27API Interceptor1x Sleep call for process: WerFault.exe modified
                                              No context
                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              bg.microsoft.map.fastly.net#U5b89#U88c5#U52a9#U624b_2.0.8.exeGet hashmaliciousUnknownBrowse
                                              • 199.232.214.172
                                              fiFdIrd.txt.jsGet hashmaliciousUnknownBrowse
                                              • 199.232.210.172
                                              5XXofntDiN.exeGet hashmaliciousLummaCBrowse
                                              • 199.232.210.172
                                              p3a0oZ4U7X.exeGet hashmaliciousUnknownBrowse
                                              • 199.232.214.172
                                              lKin1m7Pf2.lnkGet hashmaliciousUnknownBrowse
                                              • 199.232.210.172
                                              fKdiT1D1dk.exeGet hashmaliciousRHADAMANTHYSBrowse
                                              • 199.232.214.172
                                              #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                                              • 199.232.210.172
                                              Support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                              • 199.232.214.172
                                              #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                                              • 199.232.210.172
                                              Rechnung736258.pdf.lnkGet hashmaliciousLummaCBrowse
                                              • 199.232.214.172
                                              fp2e7a.wpc.phicdn.net30136156071477318040.jsGet hashmaliciousUnknownBrowse
                                              • 192.229.221.95
                                              BJQizQ6sqT.exeGet hashmaliciousLummaCBrowse
                                              • 192.229.221.95
                                              6vNMeuQvlu.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                              • 192.229.221.95
                                              2ZsJ2iP8Q2.exeGet hashmaliciousLummaCBrowse
                                              • 192.229.221.95
                                              BVGvbpplT8.exeGet hashmaliciousLummaC, StealcBrowse
                                              • 192.229.221.95
                                              mgEXk8ip26.exeGet hashmaliciousLummaCBrowse
                                              • 192.229.221.95
                                              r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
                                              • 192.229.221.95
                                              dnf5RWZv2v.exeGet hashmaliciousUnknownBrowse
                                              • 192.229.221.95
                                              crhRJnVd08.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                              • 192.229.221.95
                                              xWnpPJbKGK.exeGet hashmaliciousCryptbotBrowse
                                              • 192.229.221.95
                                              No context
                                              No context
                                              No context
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):1.507223272903657
                                              Encrypted:false
                                              SSDEEP:192:aumJCie/C7U0BU/4jaRyva7EX2xKHYLzuiFtZ24IO8T:7msj/WPBU/4jsX7EXezuiFtY4IO8T
                                              MD5:979187BA96D5F57EA9D7D18D8291F3DD
                                              SHA1:7674B9D5D6C793AF63414D0C6DB1434492BEE55A
                                              SHA-256:61B8E8FFBFB447CCBD54E7A0B19DD208E593008DFA760D7267E4CE86814DB78A
                                              SHA-512:85159DF5FFCD1B7940D9508F5BFB485A69C4569166934CC28703A63BA24A59986D6CFC4E102A72F06AAA61A4E4851C00F1CD92F85947705D3BF6EFB73F2C5682
                                              Malicious:false
                                              Reputation:low
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.4.2.7.3.7.6.7.2.3.0.9.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.4.2.7.3.7.8.0.8.2.4.5.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.3.0.7.f.c.8.3.-.c.d.0.e.-.4.f.7.d.-.b.2.4.6.-.1.c.9.7.f.c.2.2.b.6.b.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.b.3.6.0.1.2.-.9.a.d.5.-.4.6.1.f.-.a.a.0.c.-.e.b.c.8.9.4.7.f.4.4.6.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.p.o.w.e.r.s.h.e.l.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.8.8.-.0.0.0.1.-.0.0.1.4.-.e.5.f.c.-.4.4.d.e.2.e.5.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.5.e.e.8.9.b.b.1.e.4.a.0.b.1.c.3.c.7.f.1.e.8.d.0.5.d.0.6.7.7.f.2.
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Mon Dec 23 11:36:17 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):688003
                                              Entropy (8bit):3.7532358644051427
                                              Encrypted:false
                                              SSDEEP:6144:K9SbTdh2xiXSu0ZWCH5RTPWif19/vo5Knr5aLX8:KW2xiXSuyH/1f1ZoQYI
                                              MD5:9F21188C9FAAB2E4F722C226BDE6FF9E
                                              SHA1:82C101933DCFCC15B8357B1873349CC5D2DCF834
                                              SHA-256:89EF7CC539707D73DF905187727A513D7AEB2677448F45D015E561E8EB8D4F8E
                                              SHA-512:4C6258BFD3B54366E58177EE0C160E6BBFBC88369C8287AB5CE65A26C74612E2F7DC843AA3CB4DD7FC5C0A6F687661FC6940075E9BFD34FFB1FDD977F8A23DAD
                                              Malicious:false
                                              Reputation:low
                                              Preview:MDMP..a..... .......1Kig.........................(..........................T.......8...........T...........Xq..+............3...........5..............................................................................eJ.......5......GenuineIntel............T...........,Kig.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8388
                                              Entropy (8bit):3.7043984716823135
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJAQ6j6YtrSUdX6GgmfM/Bpro89bPUsfxnFm:R6lXJH6j6YxSUdbgmfM/pPHfxI
                                              MD5:45305756D3088308EC5608A83C35FF6C
                                              SHA1:2871BACB98BA0E38C62F3EA1F719D7A40B1A647D
                                              SHA-256:D0FBFB4C6197DE8D6ECA69FF6B84EF9426AC77B197F391F153DF5EB7A6D9702C
                                              SHA-512:497C7D3492961BAEDE8BB879DC8AC14A83BE6D82DB6FDB95E5A77AD0DEBA7C4999A526F0DA0A58EE8FCB43F7AE664AA1CC7E28F758F1B806E38F6C127530721D
                                              Malicious:false
                                              Reputation:low
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.4.8.8.<./.P.i.
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4702
                                              Entropy (8bit):4.498116971198339
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsncJg77aI9LAWpW8VYx5Ym8M4JQ/WFH+q8mjWWX7+etd:uIjfnaI7B57VCoJQs5WE7+2d
                                              MD5:2819C05A802A6D98EFC301CB0AA3DA9D
                                              SHA1:6C92A44DE5FFA0C58F9578CFA484C161FAF0990F
                                              SHA-256:5EFFC487F88A753983F45B19A0AAB1B4AF52F0A73C9B6FF3C55D3FE47D4AA49E
                                              SHA-512:8B7B87AC3AAA0D9FB64529183915C5C53C943295CC10CE8BD7BB26C7344B14829D0EFFA57BE21574A62CB7B7E19B5EB956040DB432F0B75DCB5D30EB68C157B0
                                              Malicious:false
                                              Reputation:low
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="643838" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):1.1940658735648508
                                              Encrypted:false
                                              SSDEEP:3:Nlllul5vR/ltZ:NllU
                                              MD5:B0C7CD32494D3E97C3D391E3F6C0284B
                                              SHA1:E4AEC8EAF1CE6EAB53081BFC3CF83CA5345D0EBD
                                              SHA-256:073696C1E4001510008CF5A1A93E8AAE5B9E48FA6648A0A09A70B824ACAE5D53
                                              SHA-512:52D4CD24B6B1D7EB83BA3E2F41AEE0488DC8D32843D145019F45901FDBBCE019196DB419BE16222319D9C62D22E4ED5DF8E51E916877E763F3FE6DA8C72A6B00
                                              Malicious:false
                                              Reputation:low
                                              Preview:@...e.................................(.4............@..........
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):6221
                                              Entropy (8bit):3.7071322320279005
                                              Encrypted:false
                                              SSDEEP:96:g7WYXWQafCKzv/wkvhkvCCtOZluHFZlxHI:g7WYXWQajz3cOZyZ0
                                              MD5:39DE44584A53AE227B5ADF13515B9FB3
                                              SHA1:9849A5938B82CF39B4D7DCE7B117A1C38B99F30D
                                              SHA-256:B2DF96B191C5FD1FFBB6F1150AB2C96F84C4F5DD4F4F5214A97061E14DCCFBC7
                                              SHA-512:43B65921CFE776C9E433EE3FB4892464962FC4AE80A437DCED27008C376D106395D73DB44E336B2AAFF9BAA96338400D8D27A6AC9F7325B879C9082E8DD43377
                                              Malicious:false
                                              Preview:...................................FL..................F.".. ....O.)......G..U..z.:{.............................:..DG..Yr?.D..U..k0.&...&......X..).....u...U..>P\..U......t...CFSF..1.....EW.`..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.`.YF\............................F.A.p.p.D.a.t.a...B.V.1......YL\..Roaming.@......EW.`.YL\..............................R.o.a.m.i.n.g.....\.1.....EW.b..MICROS~1..D......EW.`.YF\..........................k...M.i.c.r.o.s.o.f.t.....V.1.....EWwc..Windows.@......EW.`.YF\...........................4..W.i.n.d.o.w.s.......1.....EW.`..STARTM~1..n......EW.`.YF\....................D.....\M=.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW.a..Programs..j......EW.`.YF\....................@.....?.(.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.`EW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......EW.`.Yw\.....U..........
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):6221
                                              Entropy (8bit):3.7071322320279005
                                              Encrypted:false
                                              SSDEEP:96:g7WYXWQafCKzv/wkvhkvCCtOZluHFZlxHI:g7WYXWQajz3cOZyZ0
                                              MD5:39DE44584A53AE227B5ADF13515B9FB3
                                              SHA1:9849A5938B82CF39B4D7DCE7B117A1C38B99F30D
                                              SHA-256:B2DF96B191C5FD1FFBB6F1150AB2C96F84C4F5DD4F4F5214A97061E14DCCFBC7
                                              SHA-512:43B65921CFE776C9E433EE3FB4892464962FC4AE80A437DCED27008C376D106395D73DB44E336B2AAFF9BAA96338400D8D27A6AC9F7325B879C9082E8DD43377
                                              Malicious:false
                                              Preview:...................................FL..................F.".. ....O.)......G..U..z.:{.............................:..DG..Yr?.D..U..k0.&...&......X..).....u...U..>P\..U......t...CFSF..1.....EW.`..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.`.YF\............................F.A.p.p.D.a.t.a...B.V.1......YL\..Roaming.@......EW.`.YL\..............................R.o.a.m.i.n.g.....\.1.....EW.b..MICROS~1..D......EW.`.YF\..........................k...M.i.c.r.o.s.o.f.t.....V.1.....EWwc..Windows.@......EW.`.YF\...........................4..W.i.n.d.o.w.s.......1.....EW.`..STARTM~1..n......EW.`.YF\....................D.....\M=.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW.a..Programs..j......EW.`.YF\....................@.....?.(.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.`EW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......EW.`.Yw\.....U..........
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:MS Windows registry file, NT/2000 or above
                                              Category:dropped
                                              Size (bytes):1835008
                                              Entropy (8bit):4.569335280332814
                                              Encrypted:false
                                              SSDEEP:6144:RoPefZnQMa3tfL9bn90foomgsattlbSldrUHT7hSgkSNv0juQJYchUJvTGA/BsL6:iPZAooVJHnsg/d1TNqG
                                              MD5:3740BD047606D6D240A8F8ACE58A13EA
                                              SHA1:EC49A6D534B30C4F2F50463C2DCC82444830D20A
                                              SHA-256:A2B31C77CA845A897228A49562EE65D48772987997AA2E216D7D4531306295EB
                                              SHA-512:1E82FEC4A77DBD03A42F34C22857AE758CF28CDF0245B029333791C06C842F79D8DC360870143A1075F83EA6579A7EABA71F6671362E47EA899BD6859F4AC0F4
                                              Malicious:false
                                              Preview:regfJ...J....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....U..............................................................................................................................................................................................................................................................................................................................................F"..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with very long lines (352), with CRLF, LF line terminators
                                              Category:dropped
                                              Size (bytes):17469
                                              Entropy (8bit):4.862417075093522
                                              Encrypted:false
                                              SSDEEP:384:rYt1RRRRCi8fRRRRCZ8fRRCc8fRRRCZ8fRRCi8fRRCZ8fRRC28fRRC28fRRRCZ88:4RRRRCi8fRRRRCZ8fRRCc8fRRRCZ8fRP
                                              MD5:EB82357200A775D2D04FE24E41EA0745
                                              SHA1:BAB43848FAC50E0F1430BB4B427D4FA2C2D8B511
                                              SHA-256:C03078507943E525B4D0EE82C5CF1A7DDA0CF96B4CE67BDAC145A00068EEBD99
                                              SHA-512:134DF59809A38363BA9C10882F45BAAAE09EC83E9E2C5C56A80F6DF5875871C678D4EB057783FE79C6100BA3BCB74AF0C55C327BB31600F7F344CA729712C543
                                              Malicious:false
                                              Preview:.Unhandled Exception: System.Runtime.InteropServices.SEHException: External component has thrown an exception... at CallSite.Target(Closure , CallSite , Object , Object , Int32 , IntPtr ).. at System.Dynamic.UpdateDelegates.UpdateAndExecute4[T0,T1,T2,T3,TRet](CallSite site, T0 arg0, T1 arg1, T2 arg2, T3 arg3).. at System.Management.Automation.Interpreter.DynamicInstruction`5.Run(InterpretedFrame frame).. at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame).. at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame).. at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame).. at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame).. at System.Management.Automation.Interpreter.Interpreter.Run(InterpretedFrame frame).. at System.Management.Automation.Interpreter.LightLambda.RunVoid1
                                              File type:ASCII text, with very long lines (65312), with CRLF, LF line terminators
                                              Entropy (8bit):3.473913378031167
                                              TrID:
                                                File name:eszstwQPwq.ps1
                                                File size:604'899 bytes
                                                MD5:d96d2bcf13d55740f3bb64d45d2db94d
                                                SHA1:4ded4b1d4866a4adf534f5a4eb66386465fe3120
                                                SHA256:82d89a75d80e80e4be42c9eb79e401558c9fa3175648cd0c0467f2de1a07a908
                                                SHA512:cb1fbe8f36630915796d864c5a044177ea4ad881281ec454f932232fff99ce0524fb63becd96581a23cfe12bc455d55b613aaa389aa0a68fac97748400f473bd
                                                SSDEEP:1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJh:QA
                                                TLSH:C5D42AF063A099E3B6D94993A265195D3B2A103FBDC635D84083FBDD1C7BAC08A19CD7
                                                File Content Preview:for ($i = 0; $i -lt $args.count; $i++ ){$argument += $args[$i] + ' '} . $psFile=$PSCommandPath.$global:ProgressPreference = "SilentlyContinue"....# -- thread variables..$script:threadBody = '$data=$threadData;'..$data = @(..@(62416317159553766,61715855556
                                                Icon Hash:3270d6baae77db44
                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Dec 23, 2024 12:34:45.032731056 CET1.1.1.1192.168.2.120x1ea6No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                Dec 23, 2024 12:34:45.032731056 CET1.1.1.1192.168.2.120x1ea6No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                Dec 23, 2024 12:34:46.598730087 CET1.1.1.1192.168.2.120x469cNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                Dec 23, 2024 12:34:46.598730087 CET1.1.1.1192.168.2.120x469cNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                                                Click to jump to process

                                                Click to jump to process

                                                Click to dive into process behavior distribution

                                                Click to jump to process

                                                Target ID:2
                                                Start time:06:35:42
                                                Start date:23/12/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\eszstwQPwq.ps1"
                                                Imagebase:0x7ff63c0a0000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:3
                                                Start time:06:35:44
                                                Start date:23/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff704000000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:4
                                                Start time:06:36:12
                                                Start date:23/12/2024
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\eszstwQPwq.ps1
                                                Imagebase:0x9e0000
                                                File size:433'152 bytes
                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000004.00000002.3772406030.0000000010016000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000004.00000002.3772406030.0000000010016000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000004.00000002.3723941905.0000000005DAA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Hacktool_Mimikatz_355d5d3a, Description: Detection for Invoke-Mimikatz, Source: 00000004.00000002.3723941905.0000000005DAA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Empire_Invoke_Gen, Description: Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Source: 00000004.00000002.3723941905.0000000005DAA000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                • Rule: Empire_PowerShell_Framework_Gen5, Description: Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Source: 00000004.00000002.3723941905.0000000005DAA000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000004.00000002.3765288303.0000000009387000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000004.00000002.3723941905.0000000006111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000004.00000002.3723941905.0000000006111000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000004.00000002.3723941905.0000000005DEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:true

                                                Target ID:5
                                                Start time:06:36:12
                                                Start date:23/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff704000000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:8
                                                Start time:06:36:16
                                                Start date:23/12/2024
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 2896
                                                Imagebase:0xe50000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Reset < >
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.3573553679.00007FFE18460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE18460000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ffe18460000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 20d871429bcbee909378c8defe75697cba44a48b506e0b811022e2caca0f14da
                                                  • Instruction ID: 1e1b8136fab509626cd7126fd739159a8f95654536c13c2a98b46336945e05d5
                                                  • Opcode Fuzzy Hash: 20d871429bcbee909378c8defe75697cba44a48b506e0b811022e2caca0f14da
                                                  • Instruction Fuzzy Hash: E901A73111CB0C4FDB44EF0CE451AA5B3E0FB85324F10056DE58AC3265DB32E891CB45
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3738549414.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: L[ll$L[ll$L[ll$L[ll$L[ll$L[ll$L[ll$L[ll$L[ll$L[ll$L[ll$L[ll$L[ll$L[ll$L[ll$L[ll$L[ll$L[ll$L[ll$L[ll$L[ll$L[ll
                                                  • API String ID: 0-2382127269
                                                  • Opcode ID: 3dc88aa6090b721d2db1636423fabf027493bdccd02c6c9b75fae7e68f6206d4
                                                  • Instruction ID: d8fd397eb5334af383d0513e53577a26e56a1e28af5a62e44f60c8637dca8aae
                                                  • Opcode Fuzzy Hash: 3dc88aa6090b721d2db1636423fabf027493bdccd02c6c9b75fae7e68f6206d4
                                                  • Instruction Fuzzy Hash: BE423BB6B00209DFE714CE99C950AAAF7B2BF89304F14C0A9D91D9B755CB72EC41CB91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3738549414.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: L[ll$L[ll$L[ll$L[ll$L[ll$L[ll$L[ll$h2ck
                                                  • API String ID: 0-1402868813
                                                  • Opcode ID: 27d11c2429b94fcb3796ef0a680ffdb6f6abaa70f213db7f265b48f7f4977a38
                                                  • Instruction ID: 845d47a378ce1f531668485a166baff1494d6b9d9e83d4ce259be7e535a5fbde
                                                  • Opcode Fuzzy Hash: 27d11c2429b94fcb3796ef0a680ffdb6f6abaa70f213db7f265b48f7f4977a38
                                                  • Instruction Fuzzy Hash: 827215B5B002159FEB20CF18C950BA9B7B2EF8A304F15C1A9E90D9B755CB72ED81CB51
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3738549414.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: L[ll$L[ll$L[ll$L[ll$L[ll$L[ll$L[ll
                                                  • API String ID: 0-1896317880
                                                  • Opcode ID: 8025e3bbfdcf5cd40f74ab539951ffcb13b65be4082eca5397c6ac6c391365e7
                                                  • Instruction ID: 32d098d1b00e6b2a9e66600d5625f33e4f3782cad3c01e3ab06b7fc8269b343f
                                                  • Opcode Fuzzy Hash: 8025e3bbfdcf5cd40f74ab539951ffcb13b65be4082eca5397c6ac6c391365e7
                                                  • Instruction Fuzzy Hash: 3B7205B5B002159FEB20CF08C950BA9B7B2EF8A314F15C1A9E90D9B755CB72ED81CB51
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3771827617.0000000009840000.00000040.00000800.00020000.00000000.sdmp, Offset: 09840000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_9840000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3a4770633260096e004a3f2f2a0e04e9bd0853179f4fbffa867e6365c9dc50e1
                                                  • Instruction ID: 1b0859ee2a609de39d4fad7c7201a06c600a51c0ae1b9963c11b205d28e2a42a
                                                  • Opcode Fuzzy Hash: 3a4770633260096e004a3f2f2a0e04e9bd0853179f4fbffa867e6365c9dc50e1
                                                  • Instruction Fuzzy Hash: A9219A329003498FEB10DFA9C4447EEBBF1EF88324F14846AD515AB241DB7A9946CB91
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL(?,?,?), ref: 0984E6B0
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3771827617.0000000009840000.00000040.00000800.00020000.00000000.sdmp, Offset: 09840000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_9840000_powershell.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: c438b542daabc695251b5d71ddcdfb760a78f39ed96e7936d9e15d71f46f2aee
                                                  • Instruction ID: f46c078cc3c3cdcd50d32f5a9809298dc19b4e4811a88ed9fbbf74599b11092d
                                                  • Opcode Fuzzy Hash: c438b542daabc695251b5d71ddcdfb760a78f39ed96e7936d9e15d71f46f2aee
                                                  • Instruction Fuzzy Hash: 9F116A76C002498FDB10DFA9C445BEEBFF1EF88324F148419D558AB341DB399545CB95
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL(?,?,?), ref: 0984E6B0
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3771827617.0000000009840000.00000040.00000800.00020000.00000000.sdmp, Offset: 09840000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_9840000_powershell.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: b1916339a06e00329bd27d3495fce49e071793ebd0902d045f0b51e19e87f4a2
                                                  • Instruction ID: 0b7cc15bba10bd9426f7c6444b7777efe3a92baccfee09689e0ff38399abd669
                                                  • Opcode Fuzzy Hash: b1916339a06e00329bd27d3495fce49e071793ebd0902d045f0b51e19e87f4a2
                                                  • Instruction Fuzzy Hash: F5114C72C003498FDB10DFAAC845BEEBBF5EF88720F148419D514A7240CB79A545CB95
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3696513148.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_46e0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ~dU
                                                  • API String ID: 0-800683389
                                                  • Opcode ID: 1e9ef6d8080e3d496ce3e9a4edd82ae0ff4ee92db8502587f10fa4213fde653d
                                                  • Instruction ID: 136f2640d9e0a03f26d92cce96e5c26d27dbed894ef6b18ee8ecbb2a0a14cfca
                                                  • Opcode Fuzzy Hash: 1e9ef6d8080e3d496ce3e9a4edd82ae0ff4ee92db8502587f10fa4213fde653d
                                                  • Instruction Fuzzy Hash: 98413C74A01205CFCB14CF9DC8849AEBBF1FF88324B248669E915AB7A5D331EC41CB94
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3696513148.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_46e0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 97e5e1b7e0f32b0b740c8a8231aa1d87c29447d9148b205856c0cbbb14c56f7d
                                                  • Instruction ID: 0fabaf88086fd2284d361ee4f682a906787194af92b7046e97e97664237df754
                                                  • Opcode Fuzzy Hash: 97e5e1b7e0f32b0b740c8a8231aa1d87c29447d9148b205856c0cbbb14c56f7d
                                                  • Instruction Fuzzy Hash: E562F574A01209DFDB15DFA9D484AADBBF2FF88310F248559E805AB365D731ED82CB90
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3696513148.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_46e0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 311073dc133bb721fe7c1f1cb5f2fca2ab9107ca7adcc392bac2b9eb86c6d217
                                                  • Instruction ID: 19e1e9522985ae5165b0f4ee0313b2e30fd0c31bbe451a73690995c03bb48a7e
                                                  • Opcode Fuzzy Hash: 311073dc133bb721fe7c1f1cb5f2fca2ab9107ca7adcc392bac2b9eb86c6d217
                                                  • Instruction Fuzzy Hash: C2421974A0120AEFDB05CFA9D484AADBBF2FF48314F148159E905AB365D771ED82CB90
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3770206678.00000000096C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_96c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8934b94ca8f9b4bfe328d4a89852d96774baa195c8569f7260f56fa086595a66
                                                  • Instruction ID: 38141b1f9af0f080ab1b587239ee33527250d8ecda0facf6cc167929db002809
                                                  • Opcode Fuzzy Hash: 8934b94ca8f9b4bfe328d4a89852d96774baa195c8569f7260f56fa086595a66
                                                  • Instruction Fuzzy Hash: 8C122674A01259DFCB05CFA8C494AADBBF2FF49310F248199E855AB366D731ED42CB90
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3696513148.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_46e0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3f90d93b160ba84f6fd8c510cace1392e2697c4dc9e4bcab982a50d22a0ed230
                                                  • Instruction ID: 8b70f14a7d3f6f31bbd02376e5b70caf376ca811c6761f20fdffd3a295768f97
                                                  • Opcode Fuzzy Hash: 3f90d93b160ba84f6fd8c510cace1392e2697c4dc9e4bcab982a50d22a0ed230
                                                  • Instruction Fuzzy Hash: 75F13D74A01209DFDB05CF99C494AADBBF2FF49310F248559E845AB365E732ED82CB90
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3696513148.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_46e0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8395adeca234092ab334e612685444ea69905697e7198e2188a5af2acc174be2
                                                  • Instruction ID: 551d458da329da382df5b50a85e93c5633a63db685161688318726f82db9a8c3
                                                  • Opcode Fuzzy Hash: 8395adeca234092ab334e612685444ea69905697e7198e2188a5af2acc174be2
                                                  • Instruction Fuzzy Hash: F1D10534A01209EFDB05DFA9D484AADFBF2AF89310F25C159E805AB361D771ED46CB90
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3738549414.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 16b5adb35fc285ad515704870bf322d7ee5f9a50a80daf10968017b24447c338
                                                  • Instruction ID: 1301b86eca17e357c1b5863ad58069db0daf38f730481baeddf3fa3524ee66c7
                                                  • Opcode Fuzzy Hash: 16b5adb35fc285ad515704870bf322d7ee5f9a50a80daf10968017b24447c338
                                                  • Instruction Fuzzy Hash: 4A9148B2B00215CFEB149E69E8506AFFBA6FFC5310F18816AE909CB241DB31DD41C7A0
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3696513148.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_46e0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c820bbe4bf5aa3316710521068cd00c624d7c98ad0ce05a66a0e244ae42370de
                                                  • Instruction ID: 5420dd2ea2a486d94645c86294f2eb6d9366d365d90509d068e8386c64d67ab9
                                                  • Opcode Fuzzy Hash: c820bbe4bf5aa3316710521068cd00c624d7c98ad0ce05a66a0e244ae42370de
                                                  • Instruction Fuzzy Hash: 34917774A012058FCB15CF5AC494ABAFBB6FF48310B248599D915AB365D732FC41CBA0
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3771978703.0000000009870000.00000040.00000800.00020000.00000000.sdmp, Offset: 09870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_9870000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 772c11b8cc91b5d5447ef6267e32a5cdd7ffcf047f6729ed9ec5e7e729fd7846
                                                  • Instruction ID: b26193102283a44ef1bc85265d94f0bf42466ca022727d9098e4797c7955c2c9
                                                  • Opcode Fuzzy Hash: 772c11b8cc91b5d5447ef6267e32a5cdd7ffcf047f6729ed9ec5e7e729fd7846
                                                  • Instruction Fuzzy Hash: 7171C232604309CFCB198E68C5546AEFBA2AF99310F14846DF956DB391DB32DC51CBA1
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3738549414.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2513056fd863db9b3e6533b1e3d12c98482d77c50acc9aa0d5e081d34c9b98c3
                                                  • Instruction ID: 4c8c5e7da1dc40b4fe25acdc3f922a66c4f31e8989e45c85e5493123003f7b1a
                                                  • Opcode Fuzzy Hash: 2513056fd863db9b3e6533b1e3d12c98482d77c50acc9aa0d5e081d34c9b98c3
                                                  • Instruction Fuzzy Hash: 42417EF3704246CFE7115B78A5006F9BBE69F92210B1440AEC6498F285DB71FC01C7A1
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3696513148.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_46e0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d6547cf51c390cc7179bb1b1843ac5fffe8e66a3f8f426274cc4da0a485f7e08
                                                  • Instruction ID: 0de433c5650eecdfb753c7db5c24ad85b85f24b5036830f0a05695cb4e3b6292
                                                  • Opcode Fuzzy Hash: d6547cf51c390cc7179bb1b1843ac5fffe8e66a3f8f426274cc4da0a485f7e08
                                                  • Instruction Fuzzy Hash: 2551C834A01209EFDB05CFA9D484AADBBF2FF48314F248559E405AB365D772ED82CB90
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3738549414.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f46aaa89b6c1e6def9c29d12f86405b7b03507bf5267130a11b25a943c86e502
                                                  • Instruction ID: 23609e04f35fd20af49e41ba8ff1541b0f016abfd82a3c17d6feb05b5af8ed4d
                                                  • Opcode Fuzzy Hash: f46aaa89b6c1e6def9c29d12f86405b7b03507bf5267130a11b25a943c86e502
                                                  • Instruction Fuzzy Hash: D141F2F16093829FDB128B64D850A56BFB2EF46310F1984EBD5498F292C731DC46C7A2
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3738549414.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 59085b492d56d1a897b6a8135b33d6ca0fab8bcd8b0c5d3abde6b41ddd5e364f
                                                  • Instruction ID: abe47bfe10f7a670c9723ba726020e039d51df535e2049b6947a414255ed29a5
                                                  • Opcode Fuzzy Hash: 59085b492d56d1a897b6a8135b33d6ca0fab8bcd8b0c5d3abde6b41ddd5e364f
                                                  • Instruction Fuzzy Hash: A34109F2604346DFEB158F69D550B6BBFA6BF82350F1981AAE8498B296C730DC40C750
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3696513148.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_46e0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 14de2e65aa61131e17b5a0a73bd6b342d4dbd5d4f23787225a552251c0932474
                                                  • Instruction ID: de7551ae67e95d19d2d712062d4a71e0e55a37c9b0cc9d4c682d3fbc7e285070
                                                  • Opcode Fuzzy Hash: 14de2e65aa61131e17b5a0a73bd6b342d4dbd5d4f23787225a552251c0932474
                                                  • Instruction Fuzzy Hash: A44148B4A01505CFCB05CF5AC5A8ABAFBB6FF48310B158299D915AB364D732FC51CBA0
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3738549414.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 40afe429bde753bf58aaeebd535a548b1bdb75eba97c286429dd70163fb29819
                                                  • Instruction ID: 70a9cfb0339c62f4f7f61e3a01c15b3bb2c06be7b87895021ec5229ec6616c7a
                                                  • Opcode Fuzzy Hash: 40afe429bde753bf58aaeebd535a548b1bdb75eba97c286429dd70163fb29819
                                                  • Instruction Fuzzy Hash: F43120B1B182869FD7118B64D840B66BFB1EF86310F08C4DBE5498F2A2C732DC41CB91
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3696513148.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_46e0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ed2e0c90f84c132f196474f1194106ee59b020026a2f86d7e3fdbad8b133a024
                                                  • Instruction ID: 4d407234983fdf508bae8948a4170c63b28bfdabd7a6fd996aa5ce4ae8f3987b
                                                  • Opcode Fuzzy Hash: ed2e0c90f84c132f196474f1194106ee59b020026a2f86d7e3fdbad8b133a024
                                                  • Instruction Fuzzy Hash: 50410E74A01205CFCB59CF99C8849AEBBF1EF89310B248569E915E7365D332EC81CB51
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3696513148.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_46e0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aebb6caefe9ea1640eb8ac9f4ae5bd460f7fa4cc238713e5a255525ae0e09ab8
                                                  • Instruction ID: 13c2549380a6a972d9de8a688e2fc9a1ca0b29b167f63b0e7caaca4e3a2ed4f9
                                                  • Opcode Fuzzy Hash: aebb6caefe9ea1640eb8ac9f4ae5bd460f7fa4cc238713e5a255525ae0e09ab8
                                                  • Instruction Fuzzy Hash: ED211774A002199FCB00DF99D5809AEFBF5FF89310B108599E909EB352D731EC42CBA0
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3696513148.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_46e0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2a54098127a0a566c7f8d78a457af4401c220de8a6903d28de0863c344a2d836
                                                  • Instruction ID: 4d5c9e9f623bcb4bb3e0a7181f985230600eb6f228a7b0bedb25d1656d911c73
                                                  • Opcode Fuzzy Hash: 2a54098127a0a566c7f8d78a457af4401c220de8a6903d28de0863c344a2d836
                                                  • Instruction Fuzzy Hash: 20212474A0120ADFCB01CF99D5809AAFBF1FF49310B148599E909AB352D731FC41CBA1
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3696513148.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_46e0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 23624ed0c5b299bbbc418df6d3c5dfdc42588dd316e32730246dcee28ec558c2
                                                  • Instruction ID: e5f1baa7f60fa1053e02f2ac9334d64de5ab5cdc02b5c1037a9c0470fba17c80
                                                  • Opcode Fuzzy Hash: 23624ed0c5b299bbbc418df6d3c5dfdc42588dd316e32730246dcee28ec558c2
                                                  • Instruction Fuzzy Hash: 6F211A74A01209DFCB01DF99D4919AEFBB1FF49310B21849AD909EB352D735ED42CBA1
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3696513148.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_46e0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4fc90632eb5023a615dd3949f134560a56946e122af32b1ffd5f3ba1b82f583d
                                                  • Instruction ID: 6ce6e2eda55aec88788a43fe6b799f096e979cfa5acc05748a5a511f3d988f79
                                                  • Opcode Fuzzy Hash: 4fc90632eb5023a615dd3949f134560a56946e122af32b1ffd5f3ba1b82f583d
                                                  • Instruction Fuzzy Hash: F2119974A01209EFDB05CF99D484E9DBBF2BF48314F288559E405AB361D772ED81CB90
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3693634707.0000000002AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AAD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_2aad000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 893f61fd921c8734797c647ffb005eedf3f2e4e21d26173522ede1f9d8ab1d21
                                                  • Instruction ID: 40d6eee7ddf057be78c043ec8259baaf016f1c390b8239cacba7842a8a360ca7
                                                  • Opcode Fuzzy Hash: 893f61fd921c8734797c647ffb005eedf3f2e4e21d26173522ede1f9d8ab1d21
                                                  • Instruction Fuzzy Hash: 3E01806200E3C09ED7128B258894762BFB4EF43224F0980CBD9C48F5A3C3685849C772
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3693634707.0000000002AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AAD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_2aad000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5827889785cad8b9ef9eb9e6cd013abf6219040179e6ea5799b94291de112751
                                                  • Instruction ID: 77fe64bb40daa96df4a64aea73f3a2d820507dd17c35f4de7b8d51be52b43bc8
                                                  • Opcode Fuzzy Hash: 5827889785cad8b9ef9eb9e6cd013abf6219040179e6ea5799b94291de112751
                                                  • Instruction Fuzzy Hash: 7C01F771404740DAE7104B26CDC5B66FF98EF85624F088019DD861B942CB789441C6B1
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3696513148.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_46e0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0375f17cc393d59c364616366b69c388d186598662d357419f8f941379d3b4c2
                                                  • Instruction ID: 52a62d33c1575adb3fd08108cf204f003b86a3f60c5debbce9fece5264d1c9e4
                                                  • Opcode Fuzzy Hash: 0375f17cc393d59c364616366b69c388d186598662d357419f8f941379d3b4c2
                                                  • Instruction Fuzzy Hash: 4CF0EC35A00109EFCB05DBD8D890DEEF772EF88324F108159EA15A7265C736AC52CB50
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3696513148.00000000046E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_46e0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 85375a7479106aaab3c3b8f67351dee8301f9b177bb3191861223c7f57dd4997
                                                  • Instruction ID: 58a0e2252690b1ba3a7efb8d1f0fddf5af04df787c4c750981cabb0366742348
                                                  • Opcode Fuzzy Hash: 85375a7479106aaab3c3b8f67351dee8301f9b177bb3191861223c7f57dd4997
                                                  • Instruction Fuzzy Hash: 10F05E35A00009DFCB04CB99D850EFEF775EF88324F108159EA25A72A4C736AC52CB60
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3770206678.00000000096C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_96c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $.~$\&~$\&~$l-~$&~$,~$,~
                                                  • API String ID: 0-1799813556
                                                  • Opcode ID: 33beff7eafa78700c10839252dff0d03cbff55aae5db079b6c4b1175097793bc
                                                  • Instruction ID: fc0283d004c5faea08b1bb60d1604912638a4924907fb0f24514d557556e2931
                                                  • Opcode Fuzzy Hash: 33beff7eafa78700c10839252dff0d03cbff55aae5db079b6c4b1175097793bc
                                                  • Instruction Fuzzy Hash: 74D29F71A053859FDB06CF68C494AADBFB1EF4A310F19809AE445EB3A2C735DC46CB91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3738549414.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 44$$44$$\_$$\_$$x7$$x7$
                                                  • API String ID: 0-1652166697
                                                  • Opcode ID: 27b8706b364b8f13df6eac34480dec2f42fbe0ddf873a7b6a8df1551beda2293
                                                  • Instruction ID: 05ebf571aa6ada4ab1cb0fd8990594aa4d9a25ed32deae94b0c0f98fefac73de
                                                  • Opcode Fuzzy Hash: 27b8706b364b8f13df6eac34480dec2f42fbe0ddf873a7b6a8df1551beda2293
                                                  • Instruction Fuzzy Hash: 7E9228F2B04219DFEB149F69E4407AABBE6EF89310F14C06AD509CB295DB71EC41CB91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3770206678.00000000096C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_96c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ,-}$|K$|K
                                                  • API String ID: 0-2411939446
                                                  • Opcode ID: 05750726d2acb2181d9bb3ad972e6ec2180d44151a7da5cf9a1f85ba101c86c1
                                                  • Instruction ID: 33e72fead963bb9243d492586b23f585bf38846012c75a270a73878c4607afdc
                                                  • Opcode Fuzzy Hash: 05750726d2acb2181d9bb3ad972e6ec2180d44151a7da5cf9a1f85ba101c86c1
                                                  • Instruction Fuzzy Hash: 7D82E674A01219DFDB15CFA9D484AADFBF2FF88314F248159E809AB365C771AD42CB90
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3771827617.0000000009840000.00000040.00000800.00020000.00000000.sdmp, Offset: 09840000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_9840000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1769ae7e00b6e03b104de89aa79bd3d283fc3383669a7d867739544b162eb109
                                                  • Instruction ID: eda28dcc5b331be3b7427cc0bb34fa7ecfa65e4f22e0e6808d54bacf970069c0
                                                  • Opcode Fuzzy Hash: 1769ae7e00b6e03b104de89aa79bd3d283fc3383669a7d867739544b162eb109
                                                  • Instruction Fuzzy Hash: 21429F759093899FCB02DF78C894AC9BFB1AF46314F1981DAD480DF3A3D634A846CB91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3738549414.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: L[ll$L[ll$L[ll$L[ll$L[ll$L[ll
                                                  • API String ID: 0-1984023398
                                                  • Opcode ID: cd2b6e59873e5b21f946ae07903ba46db4b9ca5450e1926eced583c53edbec24
                                                  • Instruction ID: 27dfb288f484faf0b0d10424f09476b9027f47e1fae06621d57fda55eb8d2cfa
                                                  • Opcode Fuzzy Hash: cd2b6e59873e5b21f946ae07903ba46db4b9ca5450e1926eced583c53edbec24
                                                  • Instruction Fuzzy Hash: 945148B73143059FE7219E79A85063ABBAAEFC6250B18C06BD54DCB295CB32DC05C361
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3771978703.0000000009870000.00000040.00000800.00020000.00000000.sdmp, Offset: 09870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_9870000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: `9<!%$b9@!'$tLbk$xNpl$zTk
                                                  • API String ID: 0-4267036794
                                                  • Opcode ID: 7cc649499955713cde303473f7a2ce63ecc09b84c9a89c8aef1070b9fa2bb508
                                                  • Instruction ID: 2f1c6e8caee04eec643845b1f505f9cea4f44e80b7eb484331413c226254e3de
                                                  • Opcode Fuzzy Hash: 7cc649499955713cde303473f7a2ce63ecc09b84c9a89c8aef1070b9fa2bb508
                                                  • Instruction Fuzzy Hash: 69025270B002189FDB15DB28C955BAEB7B7BB85304F1081A9E609AF395DB71ED81CF81
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3770206678.00000000096C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_96c0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: hFw$hFw$hFw$hJw
                                                  • API String ID: 0-4026536197
                                                  • Opcode ID: 4f8f83c9f7f9e535fdb2eafba307cb220b7378610d0f7bfbce61f5b9d17745ee
                                                  • Instruction ID: ac75262cb70c950b80fb2e8b7b29828c62a8b4aab0783692a039d388bb455617
                                                  • Opcode Fuzzy Hash: 4f8f83c9f7f9e535fdb2eafba307cb220b7378610d0f7bfbce61f5b9d17745ee
                                                  • Instruction Fuzzy Hash: 6AA1E474A01249EFDB15CFA9D584AADBBF2EF88304F24C169F405AB361DB71AD41CB80
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.3738549414.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: :$$ :$$hj$$hj$
                                                  • API String ID: 0-1958855399
                                                  • Opcode ID: 6744e89ff548bb5e4f9e80aa7e9cbe26f7a82d3fd602dac2137e7938f12b4483
                                                  • Instruction ID: 8b89a063a6ebb17aec1eca31fe65d1a4ae93196c039d22d1407fc203410f7c55
                                                  • Opcode Fuzzy Hash: 6744e89ff548bb5e4f9e80aa7e9cbe26f7a82d3fd602dac2137e7938f12b4483
                                                  • Instruction Fuzzy Hash: A5510AB2B04209DFEB158E69E9407AABBA6EFC5310F14C07AD509CB291DB72DD41C791