Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
uEWHR2iblu.ps1

Overview

General Information

Sample name:uEWHR2iblu.ps1
renamed because original name is a hash value
Original sample name:0c516038b8f216fb87ebc0d4335fff4013c9b2a80c682069071ec9ae9e2005e9.ps1
Analysis ID:1579863
MD5:7e525ef64a4e27fbb325d7cb4653f0a1
SHA1:8d3756c9e7a78a5a7dd8fca67e7de51a9ea59a52
SHA256:0c516038b8f216fb87ebc0d4335fff4013c9b2a80c682069071ec9ae9e2005e9
Tags:lockbitlockbit40powershellps1ransomwareuser-TheRavenFile
Infos:

Detection

LockBit ransomware, Metasploit
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found post-exploitation toolkit Empire
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected LockBit ransomware
Yara detected MetasploitPayload
AI detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Suspicious PowerShell Parameter Substring
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • powershell.exe (PID: 7716 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\uEWHR2iblu.ps1" MD5: DFD66604CA0898E8E26DF7B1635B6326)
    • conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)
    • powershell.exe (PID: 4464 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\uEWHR2iblu.ps1 MD5: 3F92A35BA26FF7A11A49E15EFE18F0C2)
      • conhost.exe (PID: 4740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)
      • WerFault.exe (PID: 4320 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 3100 MD5: F5210A4A7E411A1BAD3844586A74B574)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000006.00000002.2705040530.000000000629B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_1Yara detected MetasploitPayloadJoe Security
    00000006.00000002.2705040530.000000000629B000.00000004.00000800.00020000.00000000.sdmpWindows_Hacktool_Mimikatz_355d5d3aDetection for Invoke-Mimikatzunknown
    • 0x14a73:$b2: -MemoryAddress $GetCommandLineWAddrTemp
    • 0x14bca:$b2: -MemoryAddress $GetCommandLineWAddrTemp
    • 0x14705:$b3: -MemoryAddress $GetCommandLineAAddrTemp
    • 0x1485c:$b3: -MemoryAddress $GetCommandLineAAddrTemp
    00000006.00000002.2705040530.000000000629B000.00000004.00000800.00020000.00000000.sdmpEmpire_Invoke_GenDetects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1Florian Roth
    • 0x14298:$s1: $Shellcode1 += 0x48
    • 0x17968:$s2: $PEHandle = [IntPtr]::Zero
    • 0x1a2ec:$s2: $PEHandle = [IntPtr]::Zero
    00000006.00000002.2705040530.000000000629B000.00000004.00000800.00020000.00000000.sdmpEmpire_PowerShell_Framework_Gen5Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1Florian Roth
    • 0x1b111:$s1: if ($ExeArgs -ne $null -and $ExeArgs -ne '')
    • 0x1b140:$s2: $ExeArgs = "ReflectiveExe $ExeArgs"
    00000006.00000002.2779364666.0000000010016000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_LockBit_ransomwareYara detected LockBit ransomwareJoe Security
      Click to see the 10 entries

      System Summary

      barindex
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\uEWHR2iblu.ps1 , CommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\uEWHR2iblu.ps1 , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\uEWHR2iblu.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7716, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\uEWHR2iblu.ps1 , ProcessId: 4464, ProcessName: powershell.exe
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\uEWHR2iblu.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\uEWHR2iblu.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 640, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\uEWHR2iblu.ps1", ProcessId: 7716, ProcessName: powershell.exe
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\uEWHR2iblu.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\uEWHR2iblu.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 640, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\uEWHR2iblu.ps1", ProcessId: 7716, ProcessName: powershell.exe
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: uEWHR2iblu.ps1ReversingLabs: Detection: 28%
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.4% probability
      Source: Binary string: System.Management.Automation.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.Configuration.Install.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.Data.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb( source: powershell.exe, 00000006.00000002.2736446249.0000000008D5F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000006.00000002.2720623516.00000000075C4000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbb source: powershell.exe, 00000006.00000002.2736446249.0000000008D5F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.Management.Infrastructure.pdbx' source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb* source: powershell.exe, 00000006.00000002.2736446249.0000000008C7C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbs source: powershell.exe, 00000006.00000002.2736446249.0000000008DBC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.pdb$XTA source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.DirectoryServices.pdb' source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008C10000.00000004.00000020.00020000.00000000.sdmp, WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.Core.ni.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: Microsoft.SecureBoot.Commands.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.ni.pdbRSDSw source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbd source: powershell.exe, 00000006.00000002.2720623516.00000000075C4000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.ni.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008D5F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008CD3000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: erShell.Commands.Utility.pdb source: powershell.exe, 00000006.00000002.2745134930.00000000099C5000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008D5F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdbo source: powershell.exe, 00000006.00000002.2736446249.0000000008D5F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbp source: powershell.exe, 00000006.00000002.2736446249.0000000008C7C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008D18000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdberShell.Commands.Utility.pdb source: powershell.exe, 00000006.00000002.2745134930.00000000099C5000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb_3\ source: powershell.exe, 00000006.00000002.2745134930.00000000099C5000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbe source: powershell.exe, 00000006.00000002.2736446249.0000000008D5F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb9 source: powershell.exe, 00000006.00000002.2745134930.00000000099C5000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: Microsoft.PowerShell.Security.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: mscorlib.pdbe\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000006.00000002.2720623516.0000000007552000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdbH source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.DirectoryServices.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb:c source: powershell.exe, 00000006.00000002.2736446249.0000000008D5F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008D5F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Configuration.ni.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008CD3000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.PowerShell.Commands.Management.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: mscorlib.ni.pdbRSDS source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.Configuration.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: Microsoft.WindowsAuthenticationProtocols.Commands.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.Xml.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008C7C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: o.pdb source: powershell.exe, 00000006.00000002.2745134930.00000000099C5000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: System.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: o0C:\Windows\mscorlib.pdb} source: powershell.exe, 00000006.00000002.2745134930.00000000099C5000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: %%.pdb source: powershell.exe, 00000006.00000002.2745134930.00000000099C5000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008C10000.00000004.00000020.00020000.00000000.sdmp, WER1AE8.tmp.dmp.10.dr
      Source: Binary string: Microsoft.WindowsAuthenticationProtocols.Commands.pdb@ source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Security.pdbx source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008C10000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2745134930.00000000099C5000.00000004.00000010.00020000.00000000.sdmp, WER1AE8.tmp.dmp.10.dr
      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.2720623516.0000000007552000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000006.00000002.2736446249.0000000008C7C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008D5F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: symbols\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.2745134930.00000000099C5000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: System.Management.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: \??\C:\Windows\dll\System.Core.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008C7C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008C10000.00000004.00000020.00020000.00000000.sdmp, WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.Transactions.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.Numerics.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.Core.pdbk source: powershell.exe, 00000006.00000002.2736446249.0000000008C10000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.ni.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.Data.pdb, source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.Core.ni.pdbRSDS source: WER1AE8.tmp.dmp.10.dr
      Source: powershell.exe, 00000001.00000002.2474778733.0000014002156000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2508855375.000001401056E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2705040530.00000000062E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000006.00000002.2685316121.00000000052A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000001.00000002.2474778733.0000014001FE0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2474778733.000001400200B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngh
      Source: powershell.exe, 00000001.00000002.2474778733.0000014000412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngp
      Source: powershell.exe, 00000006.00000002.2685316121.00000000052A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 00000001.00000002.2474778733.00000140001E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2685316121.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000006.00000002.2685316121.00000000052A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
      Source: powershell.exe, 00000001.00000002.2474778733.0000014001BF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: powershell.exe, 00000006.00000002.2685316121.00000000052A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000001.00000002.2474778733.000001400200B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlh
      Source: powershell.exe, 00000001.00000002.2474778733.0000014000412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlp
      Source: powershell.exe, 00000006.00000002.2685316121.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
      Source: powershell.exe, 00000001.00000002.2474778733.00000140001E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000006.00000002.2685316121.00000000052A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
      Source: powershell.exe, 00000006.00000002.2705040530.00000000062E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000006.00000002.2705040530.00000000062E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000006.00000002.2705040530.00000000062E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000006.00000002.2685316121.00000000052A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000001.00000002.2474778733.0000014001FE0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2474778733.000001400200B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pesterh
      Source: powershell.exe, 00000001.00000002.2474778733.0000014000412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pesterp
      Source: powershell.exe, 00000001.00000002.2474778733.0000014002156000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2508855375.000001401056E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2705040530.00000000062E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000001.00000002.2474778733.0000014001BF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
      Source: powershell.exe, 00000001.00000002.2474778733.0000014001BF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgx

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Source: Yara matchFile source: 00000006.00000002.2779364666.0000000010016000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2705040530.0000000006643000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

      System Summary

      barindex
      Source: 00000006.00000002.2705040530.000000000629B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detection for Invoke-Mimikatz Author: unknown
      Source: 00000006.00000002.2705040530.000000000629B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
      Source: 00000006.00000002.2705040530.000000000629B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
      Source: 00000006.00000002.2779364666.0000000010016000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
      Source: 00000006.00000002.2705040530.0000000006643000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
      Source: Process Memory Space: powershell.exe PID: 4464, type: MEMORYSTRMatched rule: Detection for Invoke-Mimikatz Author: unknown
      Source: Process Memory Space: powershell.exe PID: 4464, type: MEMORYSTRMatched rule: Detects obfuscated PowerShell Code Author: Florian Roth
      Source: Process Memory Space: powershell.exe PID: 4464, type: MEMORYSTRMatched rule: Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
      Source: Process Memory Space: powershell.exe PID: 4464, type: MEMORYSTRMatched rule: Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 Author: Florian Roth
      Source: Process Memory Space: powershell.exe PID: 4464, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1150100F1_2_00007FFB1150100F
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB115026051_2_00007FFB11502605
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB115010301_2_00007FFB11501030
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB117A10CA1_2_00007FFB117A10CA
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1190C23E1_2_00007FFB1190C23E
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1190C1D21_2_00007FFB1190C1D2
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1191819D1_2_00007FFB1191819D
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1190C1A61_2_00007FFB1190C1A6
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1191D1F51_2_00007FFB1191D1F5
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1190C13F1_2_00007FFB1190C13F
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1191791B1_2_00007FFB1191791B
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB119101251_2_00007FFB11910125
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1191895B1_2_00007FFB1191895B
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1191C15B1_2_00007FFB1191C15B
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB119001821_2_00007FFB11900182
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1190E0BD1_2_00007FFB1190E0BD
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1190A8D41_2_00007FFB1190A8D4
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1190F0E41_2_00007FFB1190F0E4
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB119118E51_2_00007FFB119118E5
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB119000FD1_2_00007FFB119000FD
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1190C0F81_2_00007FFB1190C0F8
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11916C4D1_2_00007FFB11916C4D
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB119104541_2_00007FFB11910454
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11918C1D1_2_00007FFB11918C1D
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1191DC1D1_2_00007FFB1191DC1D
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB119183BD1_2_00007FFB119183BD
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1190AB9B1_2_00007FFB1190AB9B
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11911BF91_2_00007FFB11911BF9
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB119063201_2_00007FFB11906320
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1190D32D1_2_00007FFB1190D32D
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1191B32D1_2_00007FFB1191B32D
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1190D3681_2_00007FFB1190D368
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1191E2CB1_2_00007FFB1191E2CB
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1190C2D71_2_00007FFB1190C2D7
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1190F2A91_2_00007FFB1190F2A9
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB119192FD1_2_00007FFB119192FD
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1190CB0B1_2_00007FFB1190CB0B
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1190530E1_2_00007FFB1190530E
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1191B68D1_2_00007FFB1191B68D
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB119005D11_2_00007FFB119005D1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1190BDFD1_2_00007FFB1190BDFD
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1191C5E71_2_00007FFB1191C5E7
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1190554F1_2_00007FFB1190554F
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1190F4D71_2_00007FFB1190F4D7
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11917C9B1_2_00007FFB11917C9B
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11918CAB1_2_00007FFB11918CAB
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB119125051_2_00007FFB11912505
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11918CE91_2_00007FFB11918CE9
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB119060321_2_00007FFB11906032
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1191AFFD1_2_00007FFB1191AFFD
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB119128191_2_00007FFB11912819
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11917F7D1_2_00007FFB11917F7D
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11918F8B1_2_00007FFB11918F8B
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1191D6AD1_2_00007FFB1191D6AD
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1191CEFD1_2_00007FFB1191CEFD
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11B4CA351_2_00007FFB11B4CA35
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11B569591_2_00007FFB11B56959
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11B4C8DC1_2_00007FFB11B4C8DC
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11B426381_2_00007FFB11B42638
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11B5D4E01_2_00007FFB11B5D4E0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11B59FA01_2_00007FFB11B59FA0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11CDAF711_2_00007FFB11CDAF71
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11CE0FC21_2_00007FFB11CE0FC2
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11CE0F5A1_2_00007FFB11CE0F5A
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11CDEEA51_2_00007FFB11CDEEA5
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1190CE801_2_00007FFB1190CE80
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0336F3606_2_0336F360
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_084880E06_2_084880E0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_084880E06_2_084880E0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08AF18C86_2_08AF18C8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B34FB06_2_08B34FB0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B3C8A86_2_08B3C8A8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B3C0286_2_08B3C028
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B4B8686_2_08B4B868
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B4C2D96_2_08B4C2D9
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B4A6906_2_08B4A690
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B4D63A6_2_08B4D63A
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B500806_2_08B50080
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B552A06_2_08B552A0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B55AE06_2_08B55AE0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B53AE86_2_08B53AE8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B513886_2_08B51388
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B51CE06_2_08B51CE0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B545086_2_08B54508
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B5D5726_2_08B5D572
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B5D5786_2_08B5D578
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B50E206_2_08B50E20
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B52FE86_2_08B52FE8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08BC79206_2_08BC7920
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08BC5F206_2_08BC5F20
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E2AA106_2_08E2AA10
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E29A486_2_08E29A48
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E285C86_2_08E285C8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E25FB86_2_08E25FB8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E718806_2_08E71880
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E759906_2_08E75990
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E72EE86_2_08E72EE8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E770F06_2_08E770F0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E761E86_2_08E761E8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E741386_2_08E74138
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E735286_2_08E73528
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E775386_2_08E77538
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E89CD86_2_08E89CD8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E8D0C06_2_08E8D0C0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E8F0286_2_08E8F028
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E8CAA86_2_08E8CAA8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E8E6206_2_08E8E620
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08EBCB506_2_08EBCB50
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_084800406_2_08480040
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_084800396_2_08480039
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B301B26_2_08B301B2
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B301C06_2_08B301C0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B384396_2_08B38439
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 3100
      Source: 00000006.00000002.2705040530.000000000629B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Hacktool_Mimikatz_355d5d3a reference_sample = 945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96, os = windows, severity = x86, description = Detection for Invoke-Mimikatz, creation_date = 2021-04-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Hacktool.Mimikatz, fingerprint = 9a23845ec9852d2490171af111612dc257a6b21ad7fdfd8bf22d343dc301d135, id = 355d5d3a-e50e-4614-9a84-0da668c40852, last_modified = 2021-08-23
      Source: 00000006.00000002.2705040530.000000000629B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Empire_Invoke_Gen date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28
      Source: 00000006.00000002.2705040530.000000000629B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Empire_PowerShell_Framework_Gen5 date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = 1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8
      Source: 00000006.00000002.2779364666.0000000010016000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
      Source: 00000006.00000002.2705040530.0000000006643000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
      Source: Process Memory Space: powershell.exe PID: 4464, type: MEMORYSTRMatched rule: Windows_Hacktool_Mimikatz_355d5d3a reference_sample = 945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96, os = windows, severity = x86, description = Detection for Invoke-Mimikatz, creation_date = 2021-04-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Hacktool.Mimikatz, fingerprint = 9a23845ec9852d2490171af111612dc257a6b21ad7fdfd8bf22d343dc301d135, id = 355d5d3a-e50e-4614-9a84-0da668c40852, last_modified = 2021-08-23
      Source: Process Memory Space: powershell.exe PID: 4464, type: MEMORYSTRMatched rule: SUSP_Obfuscted_PowerShell_Code date = 2018-12-13, author = Florian Roth, description = Detects obfuscated PowerShell Code, reference = https://twitter.com/silv0123/status/1073072691584880640
      Source: Process Memory Space: powershell.exe PID: 4464, type: MEMORYSTRMatched rule: Empire_Invoke_Gen date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28
      Source: Process Memory Space: powershell.exe PID: 4464, type: MEMORYSTRMatched rule: Empire_PowerShell_Framework_Gen5 date = 2016-11-05, hash3 = eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5, hash2 = 61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4, author = Florian Roth, description = Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, reference = https://github.com/adaptivethreat/Empire, super_rule = 1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8
      Source: Process Memory Space: powershell.exe PID: 4464, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: classification engineClassification label: mal92.rans.troj.spyw.winPS1@6/15@0/0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4740:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4464
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xvbtkpm2.kcg.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: uEWHR2iblu.ps1ReversingLabs: Detection: 28%
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\uEWHR2iblu.ps1"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\uEWHR2iblu.ps1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 3100
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\uEWHR2iblu.ps1 Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: virtdisk.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fltlib.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: virtdisk.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fltlib.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: System.Management.Automation.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.Configuration.Install.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.Data.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb( source: powershell.exe, 00000006.00000002.2736446249.0000000008D5F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000006.00000002.2720623516.00000000075C4000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbb source: powershell.exe, 00000006.00000002.2736446249.0000000008D5F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.Management.Infrastructure.pdbx' source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb* source: powershell.exe, 00000006.00000002.2736446249.0000000008C7C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbs source: powershell.exe, 00000006.00000002.2736446249.0000000008DBC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.pdb$XTA source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.DirectoryServices.pdb' source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008C10000.00000004.00000020.00020000.00000000.sdmp, WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.Core.ni.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: Microsoft.SecureBoot.Commands.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.ni.pdbRSDSw source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbd source: powershell.exe, 00000006.00000002.2720623516.00000000075C4000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.ni.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008D5F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008CD3000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: erShell.Commands.Utility.pdb source: powershell.exe, 00000006.00000002.2745134930.00000000099C5000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008D5F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdbo source: powershell.exe, 00000006.00000002.2736446249.0000000008D5F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbp source: powershell.exe, 00000006.00000002.2736446249.0000000008C7C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008D18000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdberShell.Commands.Utility.pdb source: powershell.exe, 00000006.00000002.2745134930.00000000099C5000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb_3\ source: powershell.exe, 00000006.00000002.2745134930.00000000099C5000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbe source: powershell.exe, 00000006.00000002.2736446249.0000000008D5F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb9 source: powershell.exe, 00000006.00000002.2745134930.00000000099C5000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: Microsoft.PowerShell.Security.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: mscorlib.pdbe\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000006.00000002.2720623516.0000000007552000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdbH source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.DirectoryServices.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb:c source: powershell.exe, 00000006.00000002.2736446249.0000000008D5F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008D5F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Configuration.ni.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008CD3000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.PowerShell.Commands.Management.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: mscorlib.ni.pdbRSDS source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.Configuration.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: Microsoft.WindowsAuthenticationProtocols.Commands.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.Xml.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008C7C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: o.pdb source: powershell.exe, 00000006.00000002.2745134930.00000000099C5000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: System.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: o0C:\Windows\mscorlib.pdb} source: powershell.exe, 00000006.00000002.2745134930.00000000099C5000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: %%.pdb source: powershell.exe, 00000006.00000002.2745134930.00000000099C5000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008C10000.00000004.00000020.00020000.00000000.sdmp, WER1AE8.tmp.dmp.10.dr
      Source: Binary string: Microsoft.WindowsAuthenticationProtocols.Commands.pdb@ source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: Microsoft.PowerShell.Security.pdbx source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008C10000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2745134930.00000000099C5000.00000004.00000010.00020000.00000000.sdmp, WER1AE8.tmp.dmp.10.dr
      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.2720623516.0000000007552000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000006.00000002.2736446249.0000000008C7C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008D5F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: symbols\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.2745134930.00000000099C5000.00000004.00000010.00020000.00000000.sdmp
      Source: Binary string: System.Management.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: \??\C:\Windows\dll\System.Core.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008C7C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.2736446249.0000000008C10000.00000004.00000020.00020000.00000000.sdmp, WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.Transactions.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: Microsoft.AppV.AppvClientComConsumer.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.Numerics.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.Core.pdbk source: powershell.exe, 00000006.00000002.2736446249.0000000008C10000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.ni.pdb source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.Data.pdb, source: WER1AE8.tmp.dmp.10.dr
      Source: Binary string: System.Core.ni.pdbRSDS source: WER1AE8.tmp.dmp.10.dr
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB115078F3 push ebx; retf 1_2_00007FFB1150793A
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11507955 push ebx; retf 1_2_00007FFB1150793A
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1150206D pushad ; iretd 1_2_00007FFB11502099
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB117A44A8 push eax; retf 1_2_00007FFB117A44A9
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11B58137 push ebx; ret 1_2_00007FFB11B5813A
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11B56C90 push eax; iretd 1_2_00007FFB11B56D2D
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11B57563 push edi; retf 1_2_00007FFB11B57566
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11B47CA8 pushad ; retf 1_2_00007FFB11B4BCE9
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB11CD2693 pushfd ; retf 1_2_00007FFB11CD2694
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0336DFA0 push es; ret 6_2_0336DFB6
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B4018E push FFFFFF8Bh; retf 6_2_08B40199
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B42628 push 1C08AEC3h; ret 6_2_08B42665
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08B5FE40 push es; ret 6_2_08B5FE56
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08BC5938 push eax; mov dword ptr [esp], edx6_2_08BC594C
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08BC0F43 push eax; mov dword ptr [esp], edx6_2_08BC0F94
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E27A60 push esp; ret 6_2_08E27A6D
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E2C231 push es; ret 6_2_08E2C226
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E2C211 push es; ret 6_2_08E2C226
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E27421 push eax; mov dword ptr [esp], edx6_2_08E2744C
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E7D616 push ss; iretd 6_2_08E7D635
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E871C0 pushad ; ret 6_2_08E871CD
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08E82EDA push FFFFFF8Bh; iretd 6_2_08E82EE1

      Hooking and other Techniques for Hiding and Protection

      barindex
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB119171BD sldt word ptr [eax]1_2_00007FFB119171BD
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5462Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4451Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6386Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3203Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5708Thread sleep time: -12912720851596678s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4984Thread sleep time: -9223372036854770s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB1150299D GetSystemInfo,1_2_00007FFB1150299D
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: Amcache.hve.10.drBinary or memory string: VMware
      Source: powershell.exe, 00000006.00000002.2685316121.00000000052A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
      Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
      Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
      Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
      Source: powershell.exe, 00000006.00000002.2736446249.0000000008C10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Fule.PS_VpnSeMSFT_NetEventVmNetworkAdatper.cdxml
      Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
      Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
      Source: powershell.exe, 00000006.00000002.2685316121.00000000052A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.10.drBinary or memory string: vmci.sys
      Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
      Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
      Source: Amcache.hve.10.drBinary or memory string: VMware-42 27 9c 31 6b 7d 78 89-be 90 b3 22 a5 ab 1b 52
      Source: powershell.exe, 00000006.00000002.2685316121.00000000052A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: powershell.exe, 00000006.00000002.2736446249.0000000008C10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VVpnClient.psMSFT_NetEventVmNetworkAdatper.format.ps1xml
      Source: Amcache.hve.10.drBinary or memory string: VMware20,1
      Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
      Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
      Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
      Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
      Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
      Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
      Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
      Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
      Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
      Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
      Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\uEWHR2iblu.ps1 Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.3031.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.3208.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
      Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
      Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
      Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
      Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
      Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe

      Remote Access Functionality

      barindex
      Source: powershell.exe, 00000006.00000002.2705040530.00000000062E7000.00000004.00000800.00020000.00000000.sdmpMemory string: $Shellcode1 += 0x48
      Source: powershell.exe, 00000006.00000002.2705040530.00000000062E7000.00000004.00000800.00020000.00000000.sdmpMemory string: $PEHandle = [IntPtr]::Zero
      Source: Yara matchFile source: 00000006.00000002.2705040530.000000000629B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2705040530.00000000062E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4464, type: MEMORYSTR
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      DLL Side-Loading
      11
      Process Injection
      41
      Virtualization/Sandbox Evasion
      OS Credential Dumping21
      Security Software Discovery
      Remote Services1
      Archive Collected Data
      1
      Encrypted Channel
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading
      11
      Process Injection
      LSASS Memory1
      Process Discovery
      Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      DLL Side-Loading
      Security Account Manager41
      Virtualization/Sandbox Evasion
      SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Obfuscated Files or Information
      NTDS1
      Application Window Discovery
      Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
      File and Directory Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
      System Information Discovery
      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579863 Sample: uEWHR2iblu.ps1 Startdate: 23/12/2024 Architecture: WINDOWS Score: 92 18 Malicious sample detected (through community Yara rule) 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected MetasploitPayload 2->22 24 3 other signatures 2->24 7 powershell.exe 11 2->7         started        process3 process4 9 powershell.exe 23 7->9         started        12 conhost.exe 7->12         started        signatures5 26 Found post-exploitation toolkit Empire 9->26 28 Loading BitLocker PowerShell Module 9->28 14 WerFault.exe 20 16 9->14         started        16 conhost.exe 9->16         started        process6

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      uEWHR2iblu.ps129%ReversingLabsScript-PowerShell.Trojan.Lockbit
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No contacted domains info
      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2474778733.0000014002156000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2508855375.000001401056E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2705040530.00000000062E7000.00000004.00000800.00020000.00000000.sdmpfalse
        high
        http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000001.00000002.2474778733.0000014001BF8000.00000004.00000800.00020000.00000000.sdmpfalse
          high
          https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000006.00000002.2685316121.00000000052A1000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://pesterbdd.com/images/Pester.pngppowershell.exe, 00000001.00000002.2474778733.0000014000412000.00000004.00000800.00020000.00000000.sdmpfalse
              unknown
              https://github.com/Pester/Pesterppowershell.exe, 00000001.00000002.2474778733.0000014000412000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.2685316121.00000000052A1000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000006.00000002.2685316121.00000000052A1000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.2685316121.00000000052A1000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://pesterbdd.com/images/Pester.pnghpowershell.exe, 00000001.00000002.2474778733.0000014001FE0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2474778733.000001400200B000.00000004.00000800.00020000.00000000.sdmpfalse
                        unknown
                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000006.00000002.2685316121.00000000052A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://contoso.com/powershell.exe, 00000006.00000002.2705040530.00000000062E7000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://github.com/Pester/Pesterhpowershell.exe, 00000001.00000002.2474778733.0000014001FE0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2474778733.000001400200B000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2474778733.0000014002156000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2508855375.000001401056E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2705040530.00000000062E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://contoso.com/Licensepowershell.exe, 00000006.00000002.2705040530.00000000062E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlhpowershell.exe, 00000001.00000002.2474778733.000001400200B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://contoso.com/Iconpowershell.exe, 00000006.00000002.2705040530.00000000062E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://oneget.orgxpowershell.exe, 00000001.00000002.2474778733.0000014001BF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                        unknown
                                        http://upx.sf.netAmcache.hve.10.drfalse
                                          high
                                          https://aka.ms/pscore6powershell.exe, 00000006.00000002.2685316121.00000000050B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://aka.ms/pscore68powershell.exe, 00000001.00000002.2474778733.00000140001E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://www.apache.org/licenses/LICENSE-2.0.htmlppowershell.exe, 00000001.00000002.2474778733.0000014000412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2474778733.00000140001E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2685316121.00000000050B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.2685316121.00000000052A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://oneget.orgpowershell.exe, 00000001.00000002.2474778733.0000014001BF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      No contacted IP infos
                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1579863
                                                      Start date and time:2024-12-23 12:33:15 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 7m 26s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:14
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:uEWHR2iblu.ps1
                                                      renamed because original name is a hash value
                                                      Original Sample Name:0c516038b8f216fb87ebc0d4335fff4013c9b2a80c682069071ec9ae9e2005e9.ps1
                                                      Detection:MAL
                                                      Classification:mal92.rans.troj.spyw.winPS1@6/15@0/0
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HCA Information:
                                                      • Successful, ratio: 81%
                                                      • Number of executed functions: 336
                                                      • Number of non-executed functions: 63
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .ps1
                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                      • Excluded IPs from analysis (whitelisted): 20.189.173.21, 20.109.210.53, 20.190.177.82
                                                      • Excluded domains from analysis (whitelisted): www.bing.com, watson.events.data.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollectorcommon.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                                      • VT rate limit hit for: uEWHR2iblu.ps1
                                                      TimeTypeDescription
                                                      06:36:02API Interceptor65x Sleep call for process: powershell.exe modified
                                                      06:36:22API Interceptor1x Sleep call for process: WerFault.exe modified
                                                      No context
                                                      No context
                                                      No context
                                                      No context
                                                      No context
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):1.2806369199894239
                                                      Encrypted:false
                                                      SSDEEP:192:wII1g2CwZn0BU84vjSjy7R6YxSuiFlH4IO8T:dI1PC20BU84vjuWLSuiFlH4IO8T
                                                      MD5:1A7BFBDFC60BB9402F5D32F076A6FD45
                                                      SHA1:A22BEF714EDB3322407623CC51B5B82EED84F0FF
                                                      SHA-256:D3D543AD5AEB7680FE560B2A25E84B8798121829D48562715492EBC94218E929
                                                      SHA-512:DBADC9277E931A6612E14C353B6743449FD7FBB8696749D868FE6BE857B6B968FE0B18F6202339F9602B271FA61FD7DC85C04A998832B376F0C77C869EEBE2A2
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.4.2.7.3.7.3.4.9.4.3.3.3.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.4.2.7.3.7.4.9.7.8.7.0.0.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.b.7.c.3.0.d.9.-.4.d.d.5.-.4.e.0.8.-.b.a.1.f.-.6.e.6.0.3.b.9.a.3.0.f.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.0.6.c.0.8.5.8.-.5.7.4.3.-.4.1.f.2.-.8.c.b.2.-.5.c.f.6.6.f.5.2.7.7.5.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.p.o.w.e.r.s.h.e.l.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.7.0.-.0.0.0.1.-.0.0.1.5.-.5.6.e.5.-.6.a.d.9.2.e.5.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.4.4.2.f.3.5.e.3.9.a.e.5.c.e.0.6.b.d.e.4.1.a.f.e.7.7.8.4.3.6.c.8.
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 14 streams, Mon Dec 23 11:36:14 2024, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):673637
                                                      Entropy (8bit):3.517386944119851
                                                      Encrypted:false
                                                      SSDEEP:6144:CjreoVEgLTglE/nPY1bxipdCu04roDNbs9nLnPjCLdH:5uTgioxipdCuo6Br2
                                                      MD5:E3C1699DE322B0A6025C5FC115B23BA5
                                                      SHA1:2187C30626AA01FB3F0BE606B9DFA14F60CAD072
                                                      SHA-256:42BA3BAC2E4A34B1EB563C117C302A8888F4DEE317EACEF86004CF02759D7178
                                                      SHA-512:082C381979B11AA6F5E019D7882CDD972062BA5E38E48F8C1592D9585B18EBFF926EFE9536827A48B0F0B158421A20AFB4D2939964817F613276A731D2BA2084
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:MDMP..a..... ........Kig.........................(..........................T.......8...........T............y..e............3...........5..............................................................................eJ......@6......GenuineIntel............T.......p...$Kig.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8350
                                                      Entropy (8bit):3.7015379329769016
                                                      Encrypted:false
                                                      SSDEEP:192:R6l79RJyjX6T6Y1aSougmfMq7dlpr589bU8sfBicm:R6lXJEX6T6YIS5gmfMq7d+UPfB4
                                                      MD5:AAF6B42ED1BAB14EF331C0D482641A4C
                                                      SHA1:F6EDD3A60A5DA12B31DB8833CC0CED5A0230541C
                                                      SHA-256:3C953BC0DFA151C504B260EA19F24B670E920297CF824DCACB2C5BC54FAAD1B2
                                                      SHA-512:9EE833108289B318D5A5F5C69DEBBE17C2F52A055ACCCAF12AB4FDF6CAD02DA9544CC51A7E25FC2F044C75D3DB41007B108C5F2EACFD5BA12B8F35CD22C86D19
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...3.4.4.8...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.3.4.4.8.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.4.6.4.<./.P.i.
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4707
                                                      Entropy (8bit):4.502708888568084
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwr7SGl8zszJgkZ7aI9Z+WpW8VYHYm8M4JQvfF++q8Ky9EUd:uIafNh7P/7VjJQwy9EUd
                                                      MD5:2014D15F6BD24AA4F4B94FED9F9BFDC1
                                                      SHA1:8153EBD59F2399364EC80DD6E94B8002F5E68448
                                                      SHA-256:5C584586BDB9B8A4DEBB1BC48B70315937A67FC01FC14B814EE954C99195528E
                                                      SHA-512:1A77F3DB6DF784836E80DDCF83AD2765C6D8051A631E802122805717D7D847F8B9F2B6D564A128C5ABAB468E44394CCBD1629BD3F5BB009419E4E92781FDDD0A
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="3448" />.. <arg nm="verqfe" val="3448" />.. <arg nm="csdbld" val="3448" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222987628" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):16780
                                                      Entropy (8bit):5.474967000816882
                                                      Encrypted:false
                                                      SSDEEP:384:5OejFWzGXA18vEogmU7k8kiwXIuWeSIWt3t2+89hJ4UjIpBy9KY8yRxnN0Qv1mmv:g8czWE8vgmUvFAlGbgnVWBy9KIjNlSFW
                                                      MD5:97C6BD35E235172C511DDFBB46E1C24E
                                                      SHA1:66CAC22D2643D9071E98B72445D64923F6FC54C5
                                                      SHA-256:26B4A883BBA89009F3679AA9502967D2B1A8369688B5B652630F13E590CB39EA
                                                      SHA-512:223150CC91382905D821A784E729D3C617E793D87893B765A5A38E5B1519DF2BFE3AA3CA8BEAA47D5939BB225645531F08AA5C91E428B7FB177478922D902D84
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:@...e................................................@..........H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHostD...............E...y.BG.\..............System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.................%...K... ...f.......System.Xml..@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementD....................+.H..!...e........System.Configuration.Ins
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):6221
                                                      Entropy (8bit):3.7174119450945584
                                                      Encrypted:false
                                                      SSDEEP:48:VOlsXtVqHgC/4U2uMjAukvhkvklCyw5r4KmpzSogZoRL4KmFzSogZol1:oYuACZxM1kvhkvCCtx4KRHm4K1Hy
                                                      MD5:20311E6F7F38B40BF9474236E11FE238
                                                      SHA1:6966AAAFC244A597E6274B567FC1A8FB9B11BA99
                                                      SHA-256:45A77CA40F9A0E0112F36762E2F5940E12709DEE501C6108B56CFD4052560523
                                                      SHA-512:23EF0E52110B1BC672E731B9E79271017F7849BF34C7F4759F14284E7D176D4ADC7557C5C33D80582D18E16B3311F5FFB0EE45119EEA3970FBB0FBD0479267A6
                                                      Malicious:false
                                                      Preview:...................................FL..................F.".. ....MS7.....T/..U..z.:{.............................:..DG..Yr?.D..U..k0.&...&........P7.....T..U......U......t...CFSF..1.....EW.p..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.p.YD\....~.....................GS@.A.p.p.D.a.t.a...B.V.1......YH\..Roaming.@......EW.p.YH\...........................0..R.o.a.m.i.n.g.....\.1.....EW.r..MICROS~1..D......EW.p.YD\..........................0.4.M.i.c.r.o.s.o.f.t.....V.1.....EWcr..Windows.@......EW.p.YD\..........................\...W.i.n.d.o.w.s.......1.....EW.p..STARTM~1..n......EW.p.YD\....................D......v..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW.q..Programs..j......EW.p.YD\....................@......+..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.pEW.p..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......EW.p.Yf\....G...........
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):6221
                                                      Entropy (8bit):3.7174119450945584
                                                      Encrypted:false
                                                      SSDEEP:48:VOlsXtVqHgC/4U2uMjAukvhkvklCyw5r4KmpzSogZoRL4KmFzSogZol1:oYuACZxM1kvhkvCCtx4KRHm4K1Hy
                                                      MD5:20311E6F7F38B40BF9474236E11FE238
                                                      SHA1:6966AAAFC244A597E6274B567FC1A8FB9B11BA99
                                                      SHA-256:45A77CA40F9A0E0112F36762E2F5940E12709DEE501C6108B56CFD4052560523
                                                      SHA-512:23EF0E52110B1BC672E731B9E79271017F7849BF34C7F4759F14284E7D176D4ADC7557C5C33D80582D18E16B3311F5FFB0EE45119EEA3970FBB0FBD0479267A6
                                                      Malicious:false
                                                      Preview:...................................FL..................F.".. ....MS7.....T/..U..z.:{.............................:..DG..Yr?.D..U..k0.&...&........P7.....T..U......U......t...CFSF..1.....EW.p..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.p.YD\....~.....................GS@.A.p.p.D.a.t.a...B.V.1......YH\..Roaming.@......EW.p.YH\...........................0..R.o.a.m.i.n.g.....\.1.....EW.r..MICROS~1..D......EW.p.YD\..........................0.4.M.i.c.r.o.s.o.f.t.....V.1.....EWcr..Windows.@......EW.p.YD\..........................\...W.i.n.d.o.w.s.......1.....EW.p..STARTM~1..n......EW.p.YD\....................D......v..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW.q..Programs..j......EW.p.YD\....................@......+..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.pEW.p..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......EW.p.Yf\....G...........
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:MS Windows registry file, NT/2000 or above
                                                      Category:dropped
                                                      Size (bytes):1835008
                                                      Entropy (8bit):4.328141774431844
                                                      Encrypted:false
                                                      SSDEEP:6144:gRJufhX4RxLT+y2H4A0WBIIQfTa765q/E5ySvL+ML61BhcRo5d5OWiBe4:8Js3BIdBvL+SGcIdYFR
                                                      MD5:D04776EBECE1E61E04E1FC4607524A5C
                                                      SHA1:32824CF3B7E2766BC57AEA2E6B43B3A280EF8707
                                                      SHA-256:5F2B6303FD0FCF88BDA935F30B4C6947762037910CCB064293955379CADDC5D1
                                                      SHA-512:C7CAE8163F6E9723065FF47E6E1167D0341148976914BE5451AC8726AED4A5CF47F17EF2F4A221C9F70B45A025A8A66AE2A4A454F7BF50C37B4CAC82C32B4BC1
                                                      Malicious:false
                                                      Preview:regfO...O....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmB!...U.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with very long lines (352), with CRLF, LF line terminators
                                                      Category:dropped
                                                      Size (bytes):17469
                                                      Entropy (8bit):4.862417075093522
                                                      Encrypted:false
                                                      SSDEEP:384:rYt1RRRRCi8fRRRRCZ8fRRCc8fRRRCZ8fRRCi8fRRCZ8fRRC28fRRC28fRRRCZ88:4RRRRCi8fRRRRCZ8fRRCc8fRRRCZ8fRP
                                                      MD5:EB82357200A775D2D04FE24E41EA0745
                                                      SHA1:BAB43848FAC50E0F1430BB4B427D4FA2C2D8B511
                                                      SHA-256:C03078507943E525B4D0EE82C5CF1A7DDA0CF96B4CE67BDAC145A00068EEBD99
                                                      SHA-512:134DF59809A38363BA9C10882F45BAAAE09EC83E9E2C5C56A80F6DF5875871C678D4EB057783FE79C6100BA3BCB74AF0C55C327BB31600F7F344CA729712C543
                                                      Malicious:false
                                                      Preview:.Unhandled Exception: System.Runtime.InteropServices.SEHException: External component has thrown an exception... at CallSite.Target(Closure , CallSite , Object , Object , Int32 , IntPtr ).. at System.Dynamic.UpdateDelegates.UpdateAndExecute4[T0,T1,T2,T3,TRet](CallSite site, T0 arg0, T1 arg1, T2 arg2, T3 arg3).. at System.Management.Automation.Interpreter.DynamicInstruction`5.Run(InterpretedFrame frame).. at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame).. at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame).. at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame).. at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame).. at System.Management.Automation.Interpreter.Interpreter.Run(InterpretedFrame frame).. at System.Management.Automation.Interpreter.LightLambda.RunVoid1
                                                      File type:ASCII text, with very long lines (65312), with CRLF, LF line terminators
                                                      Entropy (8bit):3.4738796213652647
                                                      TrID:
                                                        File name:uEWHR2iblu.ps1
                                                        File size:604'897 bytes
                                                        MD5:7e525ef64a4e27fbb325d7cb4653f0a1
                                                        SHA1:8d3756c9e7a78a5a7dd8fca67e7de51a9ea59a52
                                                        SHA256:0c516038b8f216fb87ebc0d4335fff4013c9b2a80c682069071ec9ae9e2005e9
                                                        SHA512:ec9832d42f86fd086a929c0a5cb31d7d3839d6e5b5c8c15670c477b507a2b66f60ce438006fb11a20522c7ede600e098c3f385720191851b91d5945eb0e50372
                                                        SSDEEP:1536:Kk0H/lFq+N1mfoRlNyjZk11iBQcIY1Y+qFMJFOgvZ/wpKDcalOGODPNTbJYj6CJs:QR
                                                        TLSH:36D42AF063A099E3B6D94993A265195D3B2A103FBDC635D84083FBDD1C7BAC08A19CD7
                                                        File Content Preview:for ($i = 0; $i -lt $args.count; $i++ ){$argument += $args[$i] + ' '} . $psFile=$PSCommandPath.$global:ProgressPreference = "SilentlyContinue"....# -- thread variables..$script:threadBody = '$data=$threadData;'..$data = @(..@(62416317159553766,61715855556
                                                        Icon Hash:3270d6baae77db44
                                                        No network behavior found

                                                        Click to jump to process

                                                        Click to jump to process

                                                        Click to dive into process behavior distribution

                                                        Click to jump to process

                                                        Target ID:1
                                                        Start time:06:35:08
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\uEWHR2iblu.ps1"
                                                        Imagebase:0x7ff6f70b0000
                                                        File size:486'400 bytes
                                                        MD5 hash:DFD66604CA0898E8E26DF7B1635B6326
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        Target ID:4
                                                        Start time:06:35:09
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff720030000
                                                        File size:873'472 bytes
                                                        MD5 hash:7366FBEFE66BA0F1F5304F7D6FEF09FE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        Target ID:6
                                                        Start time:06:36:04
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\uEWHR2iblu.ps1
                                                        Imagebase:0xbf0000
                                                        File size:457'216 bytes
                                                        MD5 hash:3F92A35BA26FF7A11A49E15EFE18F0C2
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000006.00000002.2705040530.000000000629B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Hacktool_Mimikatz_355d5d3a, Description: Detection for Invoke-Mimikatz, Source: 00000006.00000002.2705040530.000000000629B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: Empire_Invoke_Gen, Description: Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Source: 00000006.00000002.2705040530.000000000629B000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                        • Rule: Empire_PowerShell_Framework_Gen5, Description: Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Source: 00000006.00000002.2705040530.000000000629B000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000006.00000002.2779364666.0000000010016000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000006.00000002.2779364666.0000000010016000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000006.00000002.2705040530.0000000006643000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000006.00000002.2705040530.0000000006643000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000006.00000002.2705040530.00000000062E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:moderate
                                                        Has exited:true

                                                        Target ID:7
                                                        Start time:06:36:04
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff720030000
                                                        File size:873'472 bytes
                                                        MD5 hash:7366FBEFE66BA0F1F5304F7D6FEF09FE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        Target ID:10
                                                        Start time:06:36:13
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 3100
                                                        Imagebase:0x880000
                                                        File size:489'328 bytes
                                                        MD5 hash:F5210A4A7E411A1BAD3844586A74B574
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:2.7%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:14
                                                          Total number of Limit Nodes:1
                                                          execution_graph 33402 7ffb11509a71 33404 7ffb11509a7f GetFileAttributesW 33402->33404 33405 7ffb11509b26 33404->33405 33389 7ffb115030b0 33390 7ffb115030a3 33389->33390 33390->33389 33393 7ffb11502ab8 33390->33393 33392 7ffb11503143 33394 7ffb11502abd 33393->33394 33395 7ffb11521223 GetSystemInfo 33394->33395 33397 7ffb11521190 33394->33397 33396 7ffb1152125e 33395->33396 33396->33392 33397->33392 33398 7ffb1150a298 33399 7ffb1150a28a IdentifyCodeAuthzLevelW 33398->33399 33401 7ffb115199be 33399->33401

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 7ffb1150100f-7ffb11501011 1 7ffb11501047-7ffb115010e4 0->1 2 7ffb11501013-7ffb11501046 0->2 19 7ffb115010e6-7ffb11501119 1->19 20 7ffb1150111c-7ffb115011e4 1->20 2->1 19->20 38 7ffb115011e6-7ffb1150121a 20->38 39 7ffb1150121b-7ffb115012e4 20->39 38->39 53 7ffb1150131a-7ffb1150131f 39->53 54 7ffb115012e6-7ffb11501319 39->54 55 7ffb11501321-7ffb115013e4 53->55 56 7ffb11501320 53->56 54->53 73 7ffb11501419-7ffb115014e4 55->73 74 7ffb115013e6-7ffb11501418 55->74 56->55 92 7ffb11501518-7ffb1150156f 73->92 93 7ffb115014e6-7ffb11501515 73->93 74->73 102 7ffb115015b9-7ffb115015d6 92->102 103 7ffb11501571-7ffb1150159b call 7ffb11500150 92->103 93->92 108 7ffb115015d8-7ffb115015da 102->108 109 7ffb11501647-7ffb11501650 102->109 105 7ffb115015a0-7ffb115015b0 call 7ffb11500448 call 7ffb115005a8 103->105 123 7ffb115015b2-7ffb115015b6 105->123 124 7ffb11501621-7ffb11501622 105->124 111 7ffb11501656 108->111 112 7ffb115015dc 108->112 109->111 115 7ffb11501658-7ffb1150165e 111->115 116 7ffb11501623-7ffb11501636 112->116 117 7ffb115015de-7ffb115015ee 112->117 119 7ffb115016b7-7ffb115016bd 115->119 120 7ffb11501660-7ffb11501663 115->120 127 7ffb11501637-7ffb11501645 116->127 129 7ffb115015f0-7ffb1150160a 117->129 130 7ffb1150161d-7ffb1150161e 117->130 128 7ffb115016c4-7ffb115016c6 call 7ffb11500768 119->128 125 7ffb11501665-7ffb11501676 120->125 126 7ffb115016e4-7ffb1150170b call 7ffb115007f8 120->126 123->127 131 7ffb115015b8 123->131 124->116 132 7ffb1150167b-7ffb11501689 125->132 148 7ffb11501719 126->148 149 7ffb1150170d-7ffb11501717 126->149 127->109 138 7ffb115016cb-7ffb115016df call 7ffb115007f0 128->138 129->132 145 7ffb1150160c-7ffb1150160f 129->145 130->124 131->102 136 7ffb1150168b-7ffb115016b6 132->136 136->119 138->126 145->136 151 7ffb11501611 145->151 152 7ffb1150171e-7ffb11501720 148->152 149->152 151->115 153 7ffb11501613-7ffb11501618 call 7ffb11500598 151->153 154 7ffb11501757-7ffb11501764 call 7ffb11500308 152->154 155 7ffb11501722-7ffb11501727 152->155 153->130 161 7ffb11501766-7ffb1150176b call 7ffb115009e0 154->161 158 7ffb11501731-7ffb11501755 call 7ffb11500d18 155->158 158->161 164 7ffb11501770-7ffb1150177d call 7ffb115009e8 161->164 168 7ffb11501799-7ffb1150179d 164->168 169 7ffb1150177f-7ffb11501797 164->169 170 7ffb1150179f-7ffb115017d5 call 7ffb11500880 call 7ffb115018d6 168->170 169->170
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2526933436.00007FFB11500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11500000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11500000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 2N_I$3N_I$5N_I$6N_I
                                                          • API String ID: 0-2083426369
                                                          • Opcode ID: 341358818a487b99175333ce8c29598e0ed6e13a1631303ddd2f0bad3d818e31
                                                          • Instruction ID: 179604c9533cba994b60f653a85dca71bc6ac0b0b3d07e58920ded5f92e02f0e
                                                          • Opcode Fuzzy Hash: 341358818a487b99175333ce8c29598e0ed6e13a1631303ddd2f0bad3d818e31
                                                          • Instruction Fuzzy Hash: CC42C3D3A0DEC10FE7558AF8D89526D7F9AFF51321B9801FAD0C88B1ABD958D80587C2

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 178 7ffb11501030-7ffb115010e4 194 7ffb115010e6-7ffb11501119 178->194 195 7ffb1150111c-7ffb115011e4 178->195 194->195 213 7ffb115011e6-7ffb1150121a 195->213 214 7ffb1150121b-7ffb115012e4 195->214 213->214 228 7ffb1150131a-7ffb1150131f 214->228 229 7ffb115012e6-7ffb11501319 214->229 230 7ffb11501321-7ffb115013e4 228->230 231 7ffb11501320 228->231 229->228 248 7ffb11501419-7ffb115014e4 230->248 249 7ffb115013e6-7ffb11501418 230->249 231->230 267 7ffb11501518-7ffb1150156f 248->267 268 7ffb115014e6-7ffb11501515 248->268 249->248 277 7ffb115015b9-7ffb115015d6 267->277 278 7ffb11501571-7ffb1150159b call 7ffb11500150 267->278 268->267 283 7ffb115015d8-7ffb115015da 277->283 284 7ffb11501647-7ffb11501650 277->284 280 7ffb115015a0-7ffb115015b0 call 7ffb11500448 call 7ffb115005a8 278->280 298 7ffb115015b2-7ffb115015b6 280->298 299 7ffb11501621-7ffb11501622 280->299 286 7ffb11501656 283->286 287 7ffb115015dc 283->287 284->286 290 7ffb11501658-7ffb1150165e 286->290 291 7ffb11501623-7ffb11501636 287->291 292 7ffb115015de-7ffb115015ee 287->292 294 7ffb115016b7-7ffb115016c6 call 7ffb11500768 290->294 295 7ffb11501660-7ffb11501663 290->295 302 7ffb11501637-7ffb11501645 291->302 304 7ffb115015f0-7ffb1150160a 292->304 305 7ffb1150161d-7ffb1150161e 292->305 313 7ffb115016cb-7ffb115016df call 7ffb115007f0 294->313 300 7ffb11501665-7ffb11501676 295->300 301 7ffb115016e4-7ffb1150170b call 7ffb115007f8 295->301 298->302 306 7ffb115015b8 298->306 299->291 307 7ffb1150167b-7ffb11501689 300->307 323 7ffb11501719 301->323 324 7ffb1150170d-7ffb11501717 301->324 302->284 304->307 320 7ffb1150160c-7ffb1150160f 304->320 305->299 306->277 311 7ffb1150168b-7ffb115016b6 307->311 311->294 313->301 320->311 326 7ffb11501611 320->326 327 7ffb1150171e-7ffb11501720 323->327 324->327 326->290 328 7ffb11501613-7ffb11501618 call 7ffb11500598 326->328 329 7ffb11501757-7ffb11501764 call 7ffb11500308 327->329 330 7ffb11501722-7ffb11501727 327->330 328->305 336 7ffb11501766-7ffb1150176b call 7ffb115009e0 329->336 333 7ffb11501731-7ffb11501755 call 7ffb11500d18 330->333 333->336 339 7ffb11501770-7ffb1150177d call 7ffb115009e8 336->339 343 7ffb11501799-7ffb1150179d 339->343 344 7ffb1150177f-7ffb11501797 339->344 345 7ffb1150179f-7ffb115017d5 call 7ffb11500880 call 7ffb115018d6 343->345 344->345
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2526933436.00007FFB11500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11500000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11500000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 2N_I$3N_I$5N_I$6N_I
                                                          • API String ID: 0-2083426369
                                                          • Opcode ID: 9fed304dc5709af118d3428712df4d0fd8c138bace19d25248b7ec7ef7473e7e
                                                          • Instruction ID: 179dd18c053dfbbd3d4b8d7000890a628815a895664091f942050dd7dce4d5a2
                                                          • Opcode Fuzzy Hash: 9fed304dc5709af118d3428712df4d0fd8c138bace19d25248b7ec7ef7473e7e
                                                          • Instruction Fuzzy Hash: BB42C3D3A0DEC10BE3558AF8989526E7F9AFF51721B9801FED0C8871EBD858D90587C2

                                                          Control-flow Graph

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2526933436.00007FFB11500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11500000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11500000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 99a03b07a45b919dea9f1f73cca11197bf15bfa9de041d562a9a89642c2ac851
                                                          • Instruction ID: d5fae3894c3071cfff49d136ca565cb2837728aba83ce14e288c508c48f292d0
                                                          • Opcode Fuzzy Hash: 99a03b07a45b919dea9f1f73cca11197bf15bfa9de041d562a9a89642c2ac851
                                                          • Instruction Fuzzy Hash: 957147B390CAC94FE7158AB8C8561A9BFE5FF51360F08417BD08D871A3EA659885C781

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 906 7ffb11cdaf71-7ffb11cdafbb 909 7ffb11cdafe0-7ffb11cdaff2 906->909 910 7ffb11cdafbd-7ffb11cdafcf 906->910 914 7ffb11cdaff4-7ffb11cdaffa 909->914 915 7ffb11cdb026-7ffb11cdb02a 909->915 910->909 913 7ffb11cdafd1-7ffb11cdafd5 910->913 918 7ffb11cdafdb 913->918 919 7ffb11cdb0bd-7ffb11cdb0db 913->919 920 7ffb11cdaffc-7ffb11cdb00c 914->920 921 7ffb11cdb00d-7ffb11cdb011 914->921 916 7ffb11cdb030-7ffb11cdb03c 915->916 917 7ffb11cdb0ac-7ffb11cdb0bc 915->917 916->917 922 7ffb11cdb03e-7ffb11cdb05d 916->922 918->917 929 7ffb11cdb121-7ffb11cdb130 919->929 930 7ffb11cdb0dd-7ffb11cdb114 919->930 920->921 921->917 924 7ffb11cdb017-7ffb11cdb01b 921->924 937 7ffb11cdb05f-7ffb11cdb09b 922->937 938 7ffb11cdb09d-7ffb11cdb0a0 922->938 926 7ffb11cdb1b4-7ffb11cdb1d2 924->926 927 7ffb11cdb021 924->927 934 7ffb11cdb218-7ffb11cdb232 926->934 935 7ffb11cdb1d4-7ffb11cdb20e 926->935 927->917 940 7ffb11cdb131-7ffb11cdb143 929->940 939 7ffb11cdb115-7ffb11cdb117 930->939 945 7ffb11cdb244-7ffb11cdb248 934->945 946 7ffb11cdb234-7ffb11cdb242 934->946 935->934 937->938 938->917 943 7ffb11cdb0a2-7ffb11cdb0a6 938->943 939->929 940->939 948 7ffb11cdb145-7ffb11cdb15e 940->948 943->917 949 7ffb11cdb2ca-7ffb11cdb344 943->949 950 7ffb11cdb24a-7ffb11cdb2c3 945->950 946->950 948->940 957 7ffb11cdb161-7ffb11cdb1ad 948->957 968 7ffb11cdb356-7ffb11cdb35a 949->968 969 7ffb11cdb346-7ffb11cdb354 949->969 950->949 957->926 970 7ffb11cdb35c-7ffb11cdb3c7 968->970 969->970 976 7ffb11cdb3c9-7ffb11cdb3d1 970->976 977 7ffb11cdb3d2-7ffb11cdb403 970->977 976->977 979 7ffb11cdb405-7ffb11cdb41a 977->979 980 7ffb11cdb41c-7ffb11cdb423 977->980 982 7ffb11cdb44c-7ffb11cdb468 979->982 981 7ffb11cdb425-7ffb11cdb426 980->981 980->982 985 7ffb11cdb42e-7ffb11cdb432 981->985 987 7ffb11cdb43a-7ffb11cdb44a 985->987 987->982
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2544285910.00007FFB11CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11CD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11cd0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9c414747af0af5e820d32364b38ae28177c77925a8bd03ed5c0171bb83475d40
                                                          • Instruction ID: 8fd707f0e0ce28be2851b72adaf0557b91b96fdd7f8c78c9c66d684ac591880d
                                                          • Opcode Fuzzy Hash: 9c414747af0af5e820d32364b38ae28177c77925a8bd03ed5c0171bb83475d40
                                                          • Instruction Fuzzy Hash: 8AF1F2B1A1CF4A4FEBA49A2CC4457B977D2EF89360F54027ED44DC76D2DE28A84187C2

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 353 7ffb11b58f3b-7ffb11b58f5d 356 7ffb11b592c3-7ffb11b592cb 353->356 357 7ffb11b58f63-7ffb11b58fa0 353->357 360 7ffb11b592cc-7ffb11b592d4 356->360 366 7ffb11b59036-7ffb11b59040 357->366 367 7ffb11b58fa6-7ffb11b58fc2 357->367 365 7ffb11b592d5-7ffb11b592dd 360->365 372 7ffb11b592de-7ffb11b592f5 365->372 369 7ffb11b59042-7ffb11b5904e 366->369 370 7ffb11b5908d-7ffb11b590a1 366->370 374 7ffb11b59011-7ffb11b59020 367->374 375 7ffb11b58fc4-7ffb11b58fe0 367->375 386 7ffb11b59053-7ffb11b5905e 369->386 378 7ffb11b5911c-7ffb11b5912c 370->378 379 7ffb11b590a3-7ffb11b590b0 370->379 388 7ffb11b592ff-7ffb11b5930d 372->388 389 7ffb11b592f7-7ffb11b592fe 372->389 381 7ffb11b59022-7ffb11b59024 374->381 382 7ffb11b59025-7ffb11b59031 374->382 375->360 398 7ffb11b58fe6-7ffb11b5900f 375->398 394 7ffb11b59132-7ffb11b59135 378->394 384 7ffb11b590b2-7ffb11b590bd 379->384 385 7ffb11b590fd-7ffb11b5910b 379->385 381->382 382->394 384->386 397 7ffb11b590bf-7ffb11b590ce 384->397 385->378 386->365 392 7ffb11b59064-7ffb11b5908b 386->392 396 7ffb11b5930f-7ffb11b59328 388->396 389->388 392->370 399 7ffb11b59137-7ffb11b59173 394->399 400 7ffb11b59175-7ffb11b591cc 394->400 402 7ffb11b5932e-7ffb11b59337 396->402 397->372 409 7ffb11b590d4-7ffb11b590fb 397->409 398->374 399->400 438 7ffb11b591ce-7ffb11b591e7 400->438 439 7ffb11b591e9-7ffb11b591fc 400->439 407 7ffb11b59350-7ffb11b59383 402->407 408 7ffb11b59339-7ffb11b5934f 402->408 424 7ffb11b593f1-7ffb11b59435 407->424 425 7ffb11b59385-7ffb11b59390 407->425 408->407 409->385 441 7ffb11b59437-7ffb11b59470 424->441 442 7ffb11b594a3-7ffb11b59501 424->442 427 7ffb11b59392-7ffb11b593b4 425->427 428 7ffb11b593b6-7ffb11b593c0 425->428 427->428 437 7ffb11b593c1-7ffb11b593ee 427->437 437->424 446 7ffb11b59202-7ffb11b592c1 438->446 439->446 459 7ffb11b59472-7ffb11b59474 441->459 460 7ffb11b59476-7ffb11b594a2 441->460 446->356 459->460
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2539984684.00007FFB11B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11B40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11b40000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: H$`>l$x
                                                          • API String ID: 0-3979020288
                                                          • Opcode ID: 1f12f76d2a064cfbc6d1995a4f0aee1007cf2dc691c8f4c4b5359440e71d2848
                                                          • Instruction ID: 9bb6a46a2e41bcc0231799ab8805d03b13ad98a99638c1681dbdf81c33dd51cf
                                                          • Opcode Fuzzy Hash: 1f12f76d2a064cfbc6d1995a4f0aee1007cf2dc691c8f4c4b5359440e71d2848
                                                          • Instruction Fuzzy Hash: 74021692B1CE4A0FE7A8A73CD8596BA77C2EF9A350F1441BAD14DC72C7DD18AC064381

                                                          Control-flow Graph

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2526933436.00007FFB11500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11500000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11500000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5b371a26ea24a3757a616290b3a3db6a0b13a2216bf294bf46ea73952aca68f1
                                                          • Instruction ID: cbe0eeaad5d8dcac77720856dae57aed709b773a8c485aa5342b03ec68c9c1b6
                                                          • Opcode Fuzzy Hash: 5b371a26ea24a3757a616290b3a3db6a0b13a2216bf294bf46ea73952aca68f1
                                                          • Instruction Fuzzy Hash: C871277290CE5C4FEBA9CA58CC056E9BBB5FB59320F0443FAD04DD3252DA316A858BC0

                                                          Control-flow Graph

                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2526933436.00007FFB11500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11500000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11500000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2d405facca5700e02e7073a14fb6845121ac88efbcc21b9534060aa71f75e31b
                                                          • Instruction ID: b030927cf78ef4a9da10d0e45abf261dc89dfaefc5196c8636eb418e28ad59c9
                                                          • Opcode Fuzzy Hash: 2d405facca5700e02e7073a14fb6845121ac88efbcc21b9534060aa71f75e31b
                                                          • Instruction Fuzzy Hash: A951A171908A1C8FDBA9DA18D8457E9B7B1FB58310F0042EAD04DE3262DE71AE958FC1

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 680 7ffb11509a71-7ffb11509a7d 681 7ffb11509a7f 680->681 682 7ffb11509a81-7ffb11509aba 680->682 681->682 683 7ffb11509ac1-7ffb11509ae8 681->683 682->683 686 7ffb11509af2-7ffb11509b24 GetFileAttributesW 683->686 687 7ffb11509aea-7ffb11509aef 683->687 688 7ffb11509b2c-7ffb11509b51 686->688 689 7ffb11509b26 686->689 687->686 689->688
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2526933436.00007FFB11500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11500000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11500000_powershell.jbxd
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: 6f07208e16f863faebc6ec7c3d95bc2f70e2f7fa63cc80ecabc49e2221087d4e
                                                          • Instruction ID: af0880d8c3adc37b8d4577106ede9ee1aff2cf1bdf65d5e182c93486f3f9db8f
                                                          • Opcode Fuzzy Hash: 6f07208e16f863faebc6ec7c3d95bc2f70e2f7fa63cc80ecabc49e2221087d4e
                                                          • Instruction Fuzzy Hash: 0F31AF7190CB4C8FDB59DBACC8456E9BBF1EFA6321F04426BD049D3252DBA46846CB81

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 810 7ffb11cd0250-7ffb11cd026f 812 7ffb11cd0295-7ffb11cd0333 810->812 813 7ffb11cd0271-7ffb11cd0294 810->813 820 7ffb11cd0336-7ffb11cd0366 812->820 821 7ffb11cd0368-7ffb11cd0379 820->821 822 7ffb11cd037a-7ffb11cd03c6 820->822 821->822 825 7ffb11cd03c8-7ffb11cd03d6 822->825 826 7ffb11cd03fe-7ffb11cd040a 822->826 829 7ffb11cd05b3 825->829 830 7ffb11cd03dc-7ffb11cd03eb 825->830 827 7ffb11cd0410-7ffb11cd0422 826->827 828 7ffb11cd068c-7ffb11cd0694 call 7ffb11cd077b 826->828 827->829 831 7ffb11cd0428-7ffb11cd0433 827->831 828->820 838 7ffb11cd05b8-7ffb11cd05bc 829->838 833 7ffb11cd03f2-7ffb11cd03f7 830->833 834 7ffb11cd03ed 830->834 835 7ffb11cd0435-7ffb11cd0447 831->835 836 7ffb11cd048b-7ffb11cd048f 831->836 833->826 834->833 839 7ffb11cd05aa-7ffb11cd05ab 835->839 840 7ffb11cd044d-7ffb11cd0475 835->840 841 7ffb11cd0491-7ffb11cd049c 836->841 842 7ffb11cd04ac-7ffb11cd04b8 836->842 843 7ffb11cd0675-7ffb11cd067d 838->843 844 7ffb11cd05bd-7ffb11cd05cc 838->844 839->829 840->838 864 7ffb11cd047b-7ffb11cd0489 840->864 841->842 859 7ffb11cd049e-7ffb11cd04a5 841->859 845 7ffb11cd04bb-7ffb11cd04c1 842->845 846 7ffb11cd067f-7ffb11cd077a call 7ffb11cd077b 843->846 848 7ffb11cd05dd-7ffb11cd05e9 844->848 849 7ffb11cd05ce-7ffb11cd05db 844->849 850 7ffb11cd04c3-7ffb11cd04d3 845->850 851 7ffb11cd04d5-7ffb11cd04ef 845->851 861 7ffb11cd05f4-7ffb11cd0606 848->861 862 7ffb11cd05eb-7ffb11cd05f2 848->862 849->848 850->851 851->829 869 7ffb11cd04f5-7ffb11cd0503 851->869 859->842 867 7ffb11cd0617-7ffb11cd0649 861->867 868 7ffb11cd0608-7ffb11cd0613 861->868 866 7ffb11cd066a-7ffb11cd0673 862->866 864->835 864->836 866->846 882 7ffb11cd064b-7ffb11cd065b 867->882 883 7ffb11cd065d-7ffb11cd0663 867->883 868->844 873 7ffb11cd0615 868->873 871 7ffb11cd0517-7ffb11cd055d 869->871 872 7ffb11cd0505-7ffb11cd0510 869->872 871->829 886 7ffb11cd055f-7ffb11cd056f 871->886 872->845 876 7ffb11cd0512-7ffb11cd0515 872->876 873->867 876->871 882->866 883->866 887 7ffb11cd0575-7ffb11cd0585 886->887 888 7ffb11cd0686-7ffb11cd068b 886->888 887->829 889 7ffb11cd0587-7ffb11cd0598 887->889 888->828 890 7ffb11cd0699-7ffb11cd06b4 call 7ffb11cd077b 889->890 891 7ffb11cd059e-7ffb11cd05a5 889->891 896 7ffb11cd0748-7ffb11cd0766 890->896 897 7ffb11cd06ba-7ffb11cd06be 890->897 891->890 898 7ffb11cd0723-7ffb11cd0741 897->898 899 7ffb11cd06c0-7ffb11cd06e4 897->899 898->896 901 7ffb11cd06f5-7ffb11cd0721 899->901 902 7ffb11cd06e6-7ffb11cd06f3 899->902 901->896 902->901
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2544285910.00007FFB11CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11CD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11cd0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9ad7a545c31ab2366c98efaccda8b606b74a5b368a9c5c6d8ea3f55b9f919cf6
                                                          • Instruction ID: 997ec7459bfdf1b8eec37db7842ff7482ff723b426cbeb6cdbf06f8ff91757f1
                                                          • Opcode Fuzzy Hash: 9ad7a545c31ab2366c98efaccda8b606b74a5b368a9c5c6d8ea3f55b9f919cf6
                                                          • Instruction Fuzzy Hash: 82127FB1A18A0D8FDF58EF2CC4456A977E2FFA8350F604169D44EC7696DA34FC528B80

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 989 7ffb117a679a-7ffb117a67f0 994 7ffb117a67fa-7ffb117a6a0f 989->994 1015 7ffb117a6a4f-7ffb117a6c47 994->1015 1016 7ffb117a6a11-7ffb117a6a16 994->1016 1040 7ffb117a6d24-7ffb117a6d40 1015->1040 1016->1015 1042 7ffb117a6d46-7ffb117a6d4b 1040->1042 1043 7ffb117a6c4c-7ffb117a6c86 1040->1043 1044 7ffb117a6dc1-7ffb117a6ddd 1042->1044 1050 7ffb117a6c8c-7ffb117a6cee 1043->1050 1051 7ffb117a72b0-7ffb117a72e8 1043->1051 1047 7ffb117a6de3-7ffb117a6e45 1044->1047 1048 7ffb117a6d4d-7ffb117a6d87 1044->1048 1047->1051 1048->1051 1059 7ffb117a6d8d-7ffb117a6dbe 1048->1059 1050->1051 1065 7ffb117a6cf4-7ffb117a6d21 1050->1065 1059->1044 1065->1040
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2532047742.00007FFB117A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB117A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb117a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: adfcaecfb708ec3e7d24c3baeff9c29a751a8216b2471d38e1ba64d5c05d1087
                                                          • Instruction ID: cc9ad726bc4b43ab5ffec894bd0883618f6b54ddbfe406e9d60386ae6ba9fa9a
                                                          • Opcode Fuzzy Hash: adfcaecfb708ec3e7d24c3baeff9c29a751a8216b2471d38e1ba64d5c05d1087
                                                          • Instruction Fuzzy Hash: B0120E71A189198FEB94EB28C859BA977B2FF99300F1441FAD04DD7392CE386D818F41
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2544285910.00007FFB11CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11CD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11cd0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: caf4c6add68533680a2a26210135cab6f17c85bc0a44de9533fc3fbb7a2b7495
                                                          • Instruction ID: 899d219a79f7f83aef22d048806c5f3f8e8fab5ce8a36e64811bbec3ea402a1b
                                                          • Opcode Fuzzy Hash: caf4c6add68533680a2a26210135cab6f17c85bc0a44de9533fc3fbb7a2b7495
                                                          • Instruction Fuzzy Hash: B6C13BB2A1CE864FE759963CC8461B57BD2EF952A0B1401BED08DCB697ED24AC478381
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2544285910.00007FFB11CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11CD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11cd0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 11363116e0f6a34eb7c8a6aeaec4dbfb45a0dee6ffe7c74b49735c06dbd3446c
                                                          • Instruction ID: c9cddf6f034ba6b01f3512715d43e6f5132d79d3681c6e942926f25fb1d8751c
                                                          • Opcode Fuzzy Hash: 11363116e0f6a34eb7c8a6aeaec4dbfb45a0dee6ffe7c74b49735c06dbd3446c
                                                          • Instruction Fuzzy Hash: F0C1F771908E8A4FDB95DF38C8556FA77A2FF45324F2441BAD41DCB6C2DA38A842C781
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2544285910.00007FFB11CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11CD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11cd0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fe1cb5a6eb3182ca47cf88647177b3c9a2fa5176458ee363647b1c4c910acbfa
                                                          • Instruction ID: 5ef3dfec4390ecd74fa7d1698c08a7a6976ecde1d177009419ab04fae57d424d
                                                          • Opcode Fuzzy Hash: fe1cb5a6eb3182ca47cf88647177b3c9a2fa5176458ee363647b1c4c910acbfa
                                                          • Instruction Fuzzy Hash: 39B1FD71A18D5A8FEB94EF28C485BA973E2FF68314F544579D00EC7696DA34F841CB80
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 882c4e638366507661c87994e539fada7b110ec4e1a5ee1fca6fd509147f3749
                                                          • Instruction ID: be232ea2d2ca893bdbb17dea07c88d1f9ec85d971db3ae9fe5ba15d4decac409
                                                          • Opcode Fuzzy Hash: 882c4e638366507661c87994e539fada7b110ec4e1a5ee1fca6fd509147f3749
                                                          • Instruction Fuzzy Hash: DE616071B18E4D8FEB94EB68C851ABCB7E6FF98364F540079D01DD7292CE25A842C741
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2539984684.00007FFB11B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11B40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11b40000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9e0a794ba925bb5390461befff50880de2695ace428f55d0f31cd51c8389136c
                                                          • Instruction ID: f7fc9b667d3fc04524e0eaadbb158e28609ba1b3a10f3c98c76907d3b761f52c
                                                          • Opcode Fuzzy Hash: 9e0a794ba925bb5390461befff50880de2695ace428f55d0f31cd51c8389136c
                                                          • Instruction Fuzzy Hash: A6514AB2E1CF444BE7699A38D85627A3BC6EF56320F4440BDD48DC76D3DE28AC028345
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2539984684.00007FFB11B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11B40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11b40000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3364b9365d029e47a915a943cbd848a19ca67ca03b253d0bbb40445f28a94073
                                                          • Instruction ID: 6dd15acd51c872f478fe11c59bb17ae4178f91a50ff367c69b0c60cd36a6b31a
                                                          • Opcode Fuzzy Hash: 3364b9365d029e47a915a943cbd848a19ca67ca03b253d0bbb40445f28a94073
                                                          • Instruction Fuzzy Hash: 6141C37191CB488FDB18DB58D8466E9BBF0EB59321F04426FE08ED3252CB746846CB92
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9e8398741ae8238529471b4493d4d169a8340354a082d10beb995d3fb2e7b81f
                                                          • Instruction ID: 9d164f044fbd92360596efd9dcca4a8e70fae6064f992df2feecf966d1945e81
                                                          • Opcode Fuzzy Hash: 9e8398741ae8238529471b4493d4d169a8340354a082d10beb995d3fb2e7b81f
                                                          • Instruction Fuzzy Hash: A54194B1A18A4D8FEB45DB78C4516EDBBE2FF54364F5400BED05ED7292CE29A842C740
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2539984684.00007FFB11B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11B40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11b40000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1374c9c33d0cfe4c03c6d7be841d1f3f5e1250a4933917ada13bb1f71a946efc
                                                          • Instruction ID: 31a1e6571ab7ed1bee50ec48ceab6104877ee78b217f4ebd2378a593308d7da6
                                                          • Opcode Fuzzy Hash: 1374c9c33d0cfe4c03c6d7be841d1f3f5e1250a4933917ada13bb1f71a946efc
                                                          • Instruction Fuzzy Hash: F031E997F4CE0A8BF7B89A7CD8552B967C7EF98720F44807AD08EC3AD2ED185C454281
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fe5f088e217aa897935392e3d1ad5dcf586dbd87202a56766b754ff8cfb6e8d9
                                                          • Instruction ID: f0f1598792bbaadf01b675b1ae255a3e71adf4d38d68695e628edb1564cad93d
                                                          • Opcode Fuzzy Hash: fe5f088e217aa897935392e3d1ad5dcf586dbd87202a56766b754ff8cfb6e8d9
                                                          • Instruction Fuzzy Hash: DE317C5054EBD20AEBA75378E4247B13FD68F86274F0940FAD898CA5A3D94D988B8352
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6f0510fe2fb76250493fc6ea71ae52b6e8692650932ac982fa0ab7ad8833706b
                                                          • Instruction ID: 959c27e4544a0aa8f853ef9ecc0f496410164fe49eeba61924d8d70619388eac
                                                          • Opcode Fuzzy Hash: 6f0510fe2fb76250493fc6ea71ae52b6e8692650932ac982fa0ab7ad8833706b
                                                          • Instruction Fuzzy Hash: B331AD71908A1C8FDB58DF69C849BE9BBF1FF65321F04822FD009D3252DB64A8568B81
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d1b4b1236eb0b06cd52572f5349fbde1620e53141faea0766f333c7d6c04edb1
                                                          • Instruction ID: 0ae3da8c33fb9889db1a6a839b9beec6288e611c41236f6dc28e02642507dbf6
                                                          • Opcode Fuzzy Hash: d1b4b1236eb0b06cd52572f5349fbde1620e53141faea0766f333c7d6c04edb1
                                                          • Instruction Fuzzy Hash: BB219171908A1C9FDB58DF69C849BF9BBE1FB65321F00822FD00AD3251DB74A8568B91
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2539984684.00007FFB11B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11B40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11b40000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7dc2190d8d78d642b32922c9bb5109ab3b8cb96543844f645eb389b4e15327e6
                                                          • Instruction ID: e66494197c33b3b9602161def2fbfee1e4ac121dd856ad7832ee68ec765f5f37
                                                          • Opcode Fuzzy Hash: 7dc2190d8d78d642b32922c9bb5109ab3b8cb96543844f645eb389b4e15327e6
                                                          • Instruction Fuzzy Hash: 57212E71E0991D8FEB84EB78D4456EEBBE1EF99310F0501BAE10DD3292DF2868418B91
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2539984684.00007FFB11B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11B40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11b40000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b4b872763b1f20137e8eb1bfa8ef2bc89fc3086ba806fe954bd9dae4f6ffb4f4
                                                          • Instruction ID: 00250fb0cec6c7d2d4efaf12f191f75f08f2efd886384a0f12bcd03ba157f3e0
                                                          • Opcode Fuzzy Hash: b4b872763b1f20137e8eb1bfa8ef2bc89fc3086ba806fe954bd9dae4f6ffb4f4
                                                          • Instruction Fuzzy Hash: 55110A9691BD8A4FF7E9A778C4415FA77C6EF55610B0455B9E44BC3283CD1CA8068340
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f1ed66882aca6254f7b5ca7d987ea0a46eb4f3bb14e6822ebc6280777b517bdd
                                                          • Instruction ID: d200414cc8272ce69a30fc071ca121cbd7db50f3d42b58a9fc771772434fc8d5
                                                          • Opcode Fuzzy Hash: f1ed66882aca6254f7b5ca7d987ea0a46eb4f3bb14e6822ebc6280777b517bdd
                                                          • Instruction Fuzzy Hash: E91194A044EBC64FD3638738D8545A07FE6AF5333130A42FBC098CA4A3D65C588AC392
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2539984684.00007FFB11B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11B40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11b40000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 864184cd7be97e5eaa136671766e2c573859e1b5670fd71607220e59b17293a0
                                                          • Instruction ID: 0dee9286f6d12b8694c2f46c27e2ec94badff458790866b77a8f9a93f11925c8
                                                          • Opcode Fuzzy Hash: 864184cd7be97e5eaa136671766e2c573859e1b5670fd71607220e59b17293a0
                                                          • Instruction Fuzzy Hash: A9112E7161CF484FD795EB2CD49566AB7E2EFA8310F44856EE09EC3761CA24E8428B41
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5dad6106fc69eb2ca429bdaa7df2ab3d32871cb13190bb556aae62450e28cd63
                                                          • Instruction ID: 67b45919653e89a3c0bc60b3a9bd58cf0aef5f5f5ee883a66ac5fe7b79d69627
                                                          • Opcode Fuzzy Hash: 5dad6106fc69eb2ca429bdaa7df2ab3d32871cb13190bb556aae62450e28cd63
                                                          • Instruction Fuzzy Hash: 22F0C26160DE881FC791973898856B53FE7EF9A26034D02E6D088C7197D908AC4783C1
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d72bc7824d4dd00a6de8797071092055f486491f3dcc483e9b10bbc30f3c28fc
                                                          • Instruction ID: 31ea84a0ca2ffabb976f804d53ece9d50ecf095aa4aa8a16f19afb45adf9f6b3
                                                          • Opcode Fuzzy Hash: d72bc7824d4dd00a6de8797071092055f486491f3dcc483e9b10bbc30f3c28fc
                                                          • Instruction Fuzzy Hash: 1EF0A07680CB888FE716DB24D8814A47FA1FF42324B1946DEE09D87063E6759986CB92
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2544285910.00007FFB11CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11CD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11cd0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b532671c1e0df72aff209847f662738c26400374ba8a1ba764cfb144cecfcffb
                                                          • Instruction ID: c322c2df8ef71199e32704668e296099114149f5a730897665f3b80adb1707e2
                                                          • Opcode Fuzzy Hash: b532671c1e0df72aff209847f662738c26400374ba8a1ba764cfb144cecfcffb
                                                          • Instruction Fuzzy Hash: C6A01201A89005009004216978410DC61818FC11206845871D8044404D885D08C20240
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2539984684.00007FFB11B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11B40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11b40000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: M<_H$o
                                                          • API String ID: 0-2815931253
                                                          • Opcode ID: c5d5fc66a9a22a8b51ed08dc1ddccf154b9eb84c09b7ec0f41ffb32e18a15fce
                                                          • Instruction ID: 2da17d25438aa545acc293d866149413d14a0feef3c404cd0715fd22b883a919
                                                          • Opcode Fuzzy Hash: c5d5fc66a9a22a8b51ed08dc1ddccf154b9eb84c09b7ec0f41ffb32e18a15fce
                                                          • Instruction Fuzzy Hash: 64D134A5A0CE4A0BF7B9DA38D4453767BD2EF95360F5840FDD48EC76D2DE18A8028381
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c57bd65e253a831e3510c4a9c0aebc54a7660108d8febb90b6ea7bc40d0e1332
                                                          • Instruction ID: 94a76afc1d4429c06377e8ec41cfec9d9a53af8ac02ec0743d02321b695b5483
                                                          • Opcode Fuzzy Hash: c57bd65e253a831e3510c4a9c0aebc54a7660108d8febb90b6ea7bc40d0e1332
                                                          • Instruction Fuzzy Hash: A62383B0618B894FD359EB38C4157AAB7E6FF89311F5045BDE08AC72A3DE399846C701
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2539984684.00007FFB11B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11B40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11b40000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 2On
                                                          • API String ID: 0-2071092809
                                                          • Opcode ID: 91bf0ba4189638f11aab0e1e91c6493f0b1bc241996eaf05692eb45984bbc658
                                                          • Instruction ID: dd059b34f152d980bf5fff094eb77fc3b8d9a2c7b8d0d009d0a3c940d1193802
                                                          • Opcode Fuzzy Hash: 91bf0ba4189638f11aab0e1e91c6493f0b1bc241996eaf05692eb45984bbc658
                                                          • Instruction Fuzzy Hash: C4F1C361B1CE494FE758A73CD85A2BA73C2EB99710F5485BEE04EC3693DD28BC424781
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b047a474cf53cd5d7478d3f4bd963bd9ff4f78d391dda5340dc45e3f3c3fbf67
                                                          • Instruction ID: 958f5f83d1f151e5ac36a450c3e2f6e4e74c33c3055fc98e5b2832965fc15e87
                                                          • Opcode Fuzzy Hash: b047a474cf53cd5d7478d3f4bd963bd9ff4f78d391dda5340dc45e3f3c3fbf67
                                                          • Instruction Fuzzy Hash: B2B292B0618B4A4FD359EB38841527AB7D6FF89325F5085BDE08AC72A3DE3DD8468701
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2532047742.00007FFB117A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB117A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb117a0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 33
                                                          • API String ID: 0-2045896034
                                                          • Opcode ID: f3f3da2346719dfc0d2d3e05e5363ef0cf3b762c95945be540ce3fbe0f0cadbd
                                                          • Instruction ID: d350a6bc678ee29b2c70913887df5d70e2edf07b044c1a32a3818cb3b4d2eadd
                                                          • Opcode Fuzzy Hash: f3f3da2346719dfc0d2d3e05e5363ef0cf3b762c95945be540ce3fbe0f0cadbd
                                                          • Instruction Fuzzy Hash: 7551E3B7A1D6265FEB06FA3CF4922E57790EF5237430445B3C1C88E1B3DA58789696C0
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 69bbaed758d26f1b489f851e4f5062b312dfc948d5515e29259f566ac0ed7069
                                                          • Instruction ID: 23c4c0c5cec4d3c79bac1e5130f134822444e2b45f7cc6791080e371c061e6c7
                                                          • Opcode Fuzzy Hash: 69bbaed758d26f1b489f851e4f5062b312dfc948d5515e29259f566ac0ed7069
                                                          • Instruction Fuzzy Hash: F0222DB0A18A4A4FD798EB38C01537AB6DAFF89315F5085BDE04EC7397DE3998468740
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2539984684.00007FFB11B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11B40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11b40000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f03a1b28cc7aabf35d3ccd4ed20cd7bd98ff84edef04d016093e50cb6b4bca07
                                                          • Instruction ID: 9ad13005ed165a66117bc09c7f545bc3983ae14162bdafa8324d22090689a484
                                                          • Opcode Fuzzy Hash: f03a1b28cc7aabf35d3ccd4ed20cd7bd98ff84edef04d016093e50cb6b4bca07
                                                          • Instruction Fuzzy Hash: 82123771A1CE4A4FE798EB3CC4556BAB7E1FF55320F1442BAD04DC7292DE29A8428781
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 295020afd823688840001e4a41294023c73f65682d53faf4528602e719d0bd8f
                                                          • Instruction ID: 81409b4731bcdd95fd32db00fd155811322ed5238c2cc09c3a48c9f238951789
                                                          • Opcode Fuzzy Hash: 295020afd823688840001e4a41294023c73f65682d53faf4528602e719d0bd8f
                                                          • Instruction Fuzzy Hash: 912293B0618B894FD358EB7CC41536AB7D6FF99321F5045BEE08AC72A3DE3898468741
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9c857204220ee4f0c80270ca66a401f56dbdae7583c46c7ad024308d7a732ef4
                                                          • Instruction ID: 21ead4b6cff06ed3e3e419785eda1698a2caf1b644bd2feca07b128e5ecbfdae
                                                          • Opcode Fuzzy Hash: 9c857204220ee4f0c80270ca66a401f56dbdae7583c46c7ad024308d7a732ef4
                                                          • Instruction Fuzzy Hash: 6522B5B0618B894FD359EB38841536AB7E6FF89325F5085BDE08AC7263DA3DD8468701
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9ddfb69947e5375f840b234d859f79046d21e647df71be801a5bf8154240c7a9
                                                          • Instruction ID: 4cb567fc7f0a28778b6117d8107de92aea9b92e8f5c0df821de0781605d7507a
                                                          • Opcode Fuzzy Hash: 9ddfb69947e5375f840b234d859f79046d21e647df71be801a5bf8154240c7a9
                                                          • Instruction Fuzzy Hash: 5822B5B0618B894FD359EB3884153AAB7D6FF89325F5085BDE08AC7253DA3DD8468701
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2544285910.00007FFB11CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11CD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11cd0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 11dfaea9ad3cb23fd93c311004660b83866d844609a43e4d003463458f620b0e
                                                          • Instruction ID: 487663cb450fe316efdf941532c02b0aef3ba7a40833b37937544d9001a529a6
                                                          • Opcode Fuzzy Hash: 11dfaea9ad3cb23fd93c311004660b83866d844609a43e4d003463458f620b0e
                                                          • Instruction Fuzzy Hash: 8D12397191CA8A4FEB95EF38C4547BA7BE6FF55320F1441BAD04DC7692CE28A842C781
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 20c10831a7d0864e31abac5b2298715d66ab67c7e716877bcda0430f1fa15ec5
                                                          • Instruction ID: 83cb29c11ac82fedf9e91007e7185e64e57f1844f6b47f361080f9419f4ce606
                                                          • Opcode Fuzzy Hash: 20c10831a7d0864e31abac5b2298715d66ab67c7e716877bcda0430f1fa15ec5
                                                          • Instruction Fuzzy Hash: 5D02E3B0A1CA864FD349AB38C41527AB7D6FF89325F5485BDE08AC7293DE3D98478341
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e0e7cccd4621a63b52359a702c0d8dc57e02f315e06d6d633c92f2dff827f94e
                                                          • Instruction ID: 88671569c690708df4dc21cbf822d67703fc928b3e41958463eff29ba0ad594a
                                                          • Opcode Fuzzy Hash: e0e7cccd4621a63b52359a702c0d8dc57e02f315e06d6d633c92f2dff827f94e
                                                          • Instruction Fuzzy Hash: 75F1A9B061CB494FD349EB7C841527AB7D6EF89225F5446BEE08EC7293DE3D88468701
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d004775d48bc51c9ce50a4e3a546ab69d5e920526198339091e083be7541c3c6
                                                          • Instruction ID: b5f1cb8ee2955ab57a33fe6b366c1b1bcab0ef84a932e4fee8f6497de0980b9c
                                                          • Opcode Fuzzy Hash: d004775d48bc51c9ce50a4e3a546ab69d5e920526198339091e083be7541c3c6
                                                          • Instruction Fuzzy Hash: D9E19AB061CB494FD349EB7C841527AB7D6EF89225F5486BEE08EC7293DE3D88468701
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 46bc09e21d94fd8dc8e20505f9fc382522b5fdfffd38308380aa1613494165ee
                                                          • Instruction ID: 5286a321425bca77b6cb0e18cab3aaac1bec20034655557fe79dceaa6459e7e9
                                                          • Opcode Fuzzy Hash: 46bc09e21d94fd8dc8e20505f9fc382522b5fdfffd38308380aa1613494165ee
                                                          • Instruction Fuzzy Hash: 08E1E3B0628B864FD349AB38841527AB7D6FF89325F5485BDE08AC7293DE3DD8478341
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2526933436.00007FFB11500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11500000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11500000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a2114d18b08b5792e3b28cb3f982fd7b62567b5202ee0a447da48dd7bce4d4e3
                                                          • Instruction ID: ffd3b46108758182814ae8ad618d7ded55c35feb41a9df8ceebeb4151af5cfbe
                                                          • Opcode Fuzzy Hash: a2114d18b08b5792e3b28cb3f982fd7b62567b5202ee0a447da48dd7bce4d4e3
                                                          • Instruction Fuzzy Hash: 58E15F72A1895D8FDB85EBB8C455BEDB7E2FF58320F1441BED049D7292CA78A841CB40
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bf8618191a29eae692baec98846a4d34b3c0b321a0458a9ca4d7668e379c25ac
                                                          • Instruction ID: 6b382961b0479a2cec90ef29c0e313102dff254173f48c39dc0f7cbf6484d4f3
                                                          • Opcode Fuzzy Hash: bf8618191a29eae692baec98846a4d34b3c0b321a0458a9ca4d7668e379c25ac
                                                          • Instruction Fuzzy Hash: C5D1B2B0A18A864FD349EB38841527AB7D6FF89325F5085BDE08AC7293DE3DD8478741
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 54917aecc1b8c2ac07206985606e4567dcac79e6bfe5d964e7fff3c78458c3b6
                                                          • Instruction ID: 3006dc78960dc14bd053fccbc3fbae06813b4f6f56ba68d276fdb36dc1ac8c49
                                                          • Opcode Fuzzy Hash: 54917aecc1b8c2ac07206985606e4567dcac79e6bfe5d964e7fff3c78458c3b6
                                                          • Instruction Fuzzy Hash: 1EC1B1B0A18A4A4FD358AB38C41537A73DAEF89325B5445BDE04EC7293EE3AD8478740
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2539984684.00007FFB11B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11B40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11b40000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 031bc1377c9250610e20a92e25f269d7786369b95e491df38495f44e0f092c2c
                                                          • Instruction ID: fb27c07c2bc6806e79a05249c9a0568824e06691565b5c1947e74db89d9d3c66
                                                          • Opcode Fuzzy Hash: 031bc1377c9250610e20a92e25f269d7786369b95e491df38495f44e0f092c2c
                                                          • Instruction Fuzzy Hash: B1B1B6B1B1CE094FE798EA3CD45A6B973D2EB99321F4401BEE04EC3297DD29AC424741
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a0913d9a01d7714504fc6ee5f8e287fc415a19550a762d60d84b8dcb40a1f099
                                                          • Instruction ID: c1d612a228449634f8dc39b6a9de1e24b59f51348746b162b27526f59eb575d6
                                                          • Opcode Fuzzy Hash: a0913d9a01d7714504fc6ee5f8e287fc415a19550a762d60d84b8dcb40a1f099
                                                          • Instruction Fuzzy Hash: 23C1A2B0A18B864FD349EB38841527AB7D6FF89325F5085BDE08AC7293DE3DD8468741
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5df8dc7d64c94c2d2b5b196637149a8e792acb932506a7f8a3d12f04b111a2da
                                                          • Instruction ID: d8458efc18fa0e5e27c7aa50dfae76ddbf1636f2d559e6218485c4061608bb5e
                                                          • Opcode Fuzzy Hash: 5df8dc7d64c94c2d2b5b196637149a8e792acb932506a7f8a3d12f04b111a2da
                                                          • Instruction Fuzzy Hash: D6C161B1A18A494FD394EB3CC45576AB7D6FFD9311F50867EE08EC32A2DE3898468701
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6777598928433ed11772752e6f814e88c6163d08e933dd98d4940436766ba9ca
                                                          • Instruction ID: a0ae2c3f62c1db56065773814b28fbe97ae2188d1b628beed866d8a1ce415fd7
                                                          • Opcode Fuzzy Hash: 6777598928433ed11772752e6f814e88c6163d08e933dd98d4940436766ba9ca
                                                          • Instruction Fuzzy Hash: 52C193B0A18B464FD348EB38C41527AB7D6FF89325F5486BDE08EC7293DE3998468741
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2539984684.00007FFB11B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11B40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11b40000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f064fd9544a2d97282a8b85d3c7ac726d360328d5789dcd4ab94ea8b794caa17
                                                          • Instruction ID: e51f1c5c759756b7f8fa553727dcfc5cc36318e359e25f95ca54e66a5effbef0
                                                          • Opcode Fuzzy Hash: f064fd9544a2d97282a8b85d3c7ac726d360328d5789dcd4ab94ea8b794caa17
                                                          • Instruction Fuzzy Hash: EDB17762B1CE494FE768AA3CD4153B973C2EB98711F5442BED44EC37C7DD28AC414682
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9175606c8d6da7afefa98440547454b4829771f1cfe785e9cacfe7ed7360f2c3
                                                          • Instruction ID: a9481b8739de3a70b644f0b9be3cad943141896044f5cff9b97145d3fae0ca6c
                                                          • Opcode Fuzzy Hash: 9175606c8d6da7afefa98440547454b4829771f1cfe785e9cacfe7ed7360f2c3
                                                          • Instruction Fuzzy Hash: 9DC1B1B0A18A4A4FD358EB38C41527AB7D6FF89325F5085BDE08EC7393DE3998468741
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4305f93180e3b14c582bf23b6c084cdd85662eea80eccae1972033f3d2294e5e
                                                          • Instruction ID: 92c79c63aa7bda6ff301fb5c2f6d3445db55d5bac1cc9007b3876a847e8c60aa
                                                          • Opcode Fuzzy Hash: 4305f93180e3b14c582bf23b6c084cdd85662eea80eccae1972033f3d2294e5e
                                                          • Instruction Fuzzy Hash: 3FB193B0628B454FD349EB38841527AB7D6FF89325F5085BDE08AC7293DE3DD8468741
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ac741780bd4e075606bdd92bcdac0119e28f591610daf1ec171e97f14e1926c2
                                                          • Instruction ID: 830eee4710d9e131bb4e0a1b048dbc4f3ba7aa345d41bb55c927b5ac4520bed1
                                                          • Opcode Fuzzy Hash: ac741780bd4e075606bdd92bcdac0119e28f591610daf1ec171e97f14e1926c2
                                                          • Instruction Fuzzy Hash: B3A151B0618A894FD389EF78841527AB7D6EFCD225F5585BDE08EC7253DE3D88468700
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1a942c368ce0575d630b74eaa30041416e837fdc25246263b09aff53c22c93c6
                                                          • Instruction ID: 778288b3e5b74252c62bc558ec6aeddfd861eba107b8e7d0eeee4354351a7f4d
                                                          • Opcode Fuzzy Hash: 1a942c368ce0575d630b74eaa30041416e837fdc25246263b09aff53c22c93c6
                                                          • Instruction Fuzzy Hash: 189164B0A28A464FD358AB38841527AB7D6FFC9325F5085BDE08AC3397DE3DD8468641
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1e0352e8ef6a023df250cbf09e8b4d7aefc5e5fd4c9728fa3c0195f44eb5fd31
                                                          • Instruction ID: 7ad84c5c338b653e710cbf8349460bca0200b11c026ac39fa9bc0654ca7af269
                                                          • Opcode Fuzzy Hash: 1e0352e8ef6a023df250cbf09e8b4d7aefc5e5fd4c9728fa3c0195f44eb5fd31
                                                          • Instruction Fuzzy Hash: 169172B0A18A4A4FD358EB38C41537AB3D6FF89325B5445BDE04EC7393DE3998868740
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1a1cbfb7426d3554ec80289fba6ab9e8f53e16cec07c12f25f530ec48bc03355
                                                          • Instruction ID: f7abb9078cf59547a2ab4b59f4db9d3a319865d03d0c765e28248825e34919e0
                                                          • Opcode Fuzzy Hash: 1a1cbfb7426d3554ec80289fba6ab9e8f53e16cec07c12f25f530ec48bc03355
                                                          • Instruction Fuzzy Hash: 4281C1B0A28A4A4FD358AB38C41537AB7DAEF89325F5445BDE04EC7393DE3998468341
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2544285910.00007FFB11CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11CD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11cd0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e065629d38236e079bd21d7298e41d1289ed80c05d64498ad9a4a74974a014fe
                                                          • Instruction ID: fb019c533c5bd7133eeabb57fc57638964793ff413ad0a8e02e4d57994d55f16
                                                          • Opcode Fuzzy Hash: e065629d38236e079bd21d7298e41d1289ed80c05d64498ad9a4a74974a014fe
                                                          • Instruction Fuzzy Hash: 08812673A0C7964FE712EB7CE8412E57BE1DF16364F1440BBC189CB1A3DA29A852C780
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2539984684.00007FFB11B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11B40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11b40000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ad4f9d6b02cc16f79b3e6233077effca708b823bd1d3fb22a28fa4d0e0667579
                                                          • Instruction ID: e6ce7e590902bb63a9e2dd3c47c3d731a6e215ad3cd16ed34f5b391a68cb14a3
                                                          • Opcode Fuzzy Hash: ad4f9d6b02cc16f79b3e6233077effca708b823bd1d3fb22a28fa4d0e0667579
                                                          • Instruction Fuzzy Hash: 827174A1B1CE094FF798FB3CD45A3B9B2C2EB98311F5445BAE50EC3297DD18AC424681
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 119f2577e3d9dfdc6e630ec70634e3638091757e7bf3f658fd28991823b318fa
                                                          • Instruction ID: 26e2002b9294b19d446ff0e779c8b1abd07e72d36f6c903b1e2881da6a32c2db
                                                          • Opcode Fuzzy Hash: 119f2577e3d9dfdc6e630ec70634e3638091757e7bf3f658fd28991823b318fa
                                                          • Instruction Fuzzy Hash: B591FA7060CB864FD745DB78C4156A97BD2EF8B330F5846BED49AC32A3CA6C88878741
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 91ca77334b865caa61bc97411bb244a6f3eddd41889a8fd6f150336463fff331
                                                          • Instruction ID: b450e0eaea43479c22cd10b83aee8699b0885d2def611acb69672cdcefd8e9fe
                                                          • Opcode Fuzzy Hash: 91ca77334b865caa61bc97411bb244a6f3eddd41889a8fd6f150336463fff331
                                                          • Instruction Fuzzy Hash: EF81EC7060CB864FD759DB78C0157A97BD2EF8A330F5846BED49AC71A3C96C88878741
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 093e49be36d0b56f5fabb880b292604d6099485f0df44949712ecf49d7a35c42
                                                          • Instruction ID: f0347ec932ae67fdd6a9cdc3fd4579c3cf81b4e9dcab67944ecbfb1600b81acf
                                                          • Opcode Fuzzy Hash: 093e49be36d0b56f5fabb880b292604d6099485f0df44949712ecf49d7a35c42
                                                          • Instruction Fuzzy Hash: AC8192B0A18A4A4FD759EB38C01137AB6D6FF89315F1485BDE08EC3397DE3988468701
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d9eee94ed667d8f04684b1d661d020220832e9f11073939a701be9974cc791d9
                                                          • Instruction ID: 68b94fa7fb75d61b1f288be9e863fd1462698f3577f7ff066ca4163cc337c137
                                                          • Opcode Fuzzy Hash: d9eee94ed667d8f04684b1d661d020220832e9f11073939a701be9974cc791d9
                                                          • Instruction Fuzzy Hash: 038193B0A18E494FD758EB38C41537AB6D6FF89325F1485BDE08EC7293DE3998468701
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8b8a60b28d943c24fcfa0aaaf9458445779cdb80174c3df57cb7ca3711bdf67e
                                                          • Instruction ID: d4db01183e94289aa19a64e8f3fd843bc401844a8ec692d9cbb70ce001767273
                                                          • Opcode Fuzzy Hash: 8b8a60b28d943c24fcfa0aaaf9458445779cdb80174c3df57cb7ca3711bdf67e
                                                          • Instruction Fuzzy Hash: A2810A7064DFC65FD785DF7C84085A97BE2EF8B23075886ADE0D9C31A7C66C888A8701
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c60bc0dfebcfb9271582982164fe72fa0ca37fe3a6ba0d2db34bb8b4ffee9520
                                                          • Instruction ID: c0912d3ebfc40af454720d3e8bdac9837c44c1dd7b7a9f2404e298242a7e7c30
                                                          • Opcode Fuzzy Hash: c60bc0dfebcfb9271582982164fe72fa0ca37fe3a6ba0d2db34bb8b4ffee9520
                                                          • Instruction Fuzzy Hash: F061E4B0A1DB464FD359AB38C81517A77EAEF8A22571545FED08AC72A3ED3DD8478300
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c305cf89495f57eff4f62aca33e956a1a7f1c94273c399ad79e0fa24f905e31e
                                                          • Instruction ID: b2e203a2b35c16b69f8ff3a6db33db114c081195348070d36b69c2ad26837a6d
                                                          • Opcode Fuzzy Hash: c305cf89495f57eff4f62aca33e956a1a7f1c94273c399ad79e0fa24f905e31e
                                                          • Instruction Fuzzy Hash: 4C81EB7054CB864FD759D77884152A9BBE2EF86334B1946FED09BC71A3C96C88878740
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7a73f99e0034b8f00731548cbba9bc248c904dc0304579fd8dcdf0167e307621
                                                          • Instruction ID: c37f7dcfd19e7d091e7d2b7b873c6b821470fd13a5a761f767521808f5459418
                                                          • Opcode Fuzzy Hash: 7a73f99e0034b8f00731548cbba9bc248c904dc0304579fd8dcdf0167e307621
                                                          • Instruction Fuzzy Hash: 69710B7060DB865FD346DB78C4152697BE2EF86334B1945FED08AC72A3DA2C88478741
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4a34715e46b0e79ae8de2a391b279170fcdb08434e27a49e40045104ff8965dd
                                                          • Instruction ID: f8f13a1ebfc2851adcdda0049e75115a285eb26f714f56c529266cbd07fb1477
                                                          • Opcode Fuzzy Hash: 4a34715e46b0e79ae8de2a391b279170fcdb08434e27a49e40045104ff8965dd
                                                          • Instruction Fuzzy Hash: 3571B670648EC65FD781DF7CC4546A97BD2EF8F23075897A9E499C31A7D62C888B8301
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 09d1f795dccf46be4f4687b62f50911cdb2a27ddaf363657393239412a5b13bc
                                                          • Instruction ID: 399aef4cfdd8a892f8df5828c4115388d4258d98c1b71289436ce619084c1c40
                                                          • Opcode Fuzzy Hash: 09d1f795dccf46be4f4687b62f50911cdb2a27ddaf363657393239412a5b13bc
                                                          • Instruction Fuzzy Hash: 4161D370A1CA854FC349EB38C41566AB7D6FF89325F1449BEE09AC7293DE3D98478341
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 018872c7bc787b733ba81a357a2f6eb59f3fe7b778a3a0c3452ce78f8d45cb29
                                                          • Instruction ID: ab4876e5d8f8d90b6aa8e1ea787254fe261df43333b05585f1c0af661caceecd
                                                          • Opcode Fuzzy Hash: 018872c7bc787b733ba81a357a2f6eb59f3fe7b778a3a0c3452ce78f8d45cb29
                                                          • Instruction Fuzzy Hash: 5151F67060DA864FD749DB7CC414669BBD2EF8A334B1846FED09AC72D3DA2D88878341
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 29b4597bf6e6c756e8124acd04f24946097f4845d60915b1272e854640bd3dd5
                                                          • Instruction ID: 99015370d3536dda2c2637fff444c813291dee54ec4f0e52fd223cc7d0ec5026
                                                          • Opcode Fuzzy Hash: 29b4597bf6e6c756e8124acd04f24946097f4845d60915b1272e854640bd3dd5
                                                          • Instruction Fuzzy Hash: E851F6B0A1CB464FD355EB38C81566AB7D6EF89325B0585BED08AC7293DE38D847C341
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 504f06341659696ccc9eb8aa374aa1772fdbd8eee05fd3cbfa544f558df23a90
                                                          • Instruction ID: 48627ddda149d43b3d5a1439c03cca9192d3c4b0ad1984160caa9b25c267be63
                                                          • Opcode Fuzzy Hash: 504f06341659696ccc9eb8aa374aa1772fdbd8eee05fd3cbfa544f558df23a90
                                                          • Instruction Fuzzy Hash: 7E51267060DB864FD746DB78C4155A97FE2EF8B23071846FED49AC71A3CA2C888B8341
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 43ccd77790627777c2f1270bd32fba8932cfc2941679843d6f5f8f37e172b3c3
                                                          • Instruction ID: 22ad6625af7ba76da7e68ae7c9834e19126e903a58f6afa6c59f750830c49932
                                                          • Opcode Fuzzy Hash: 43ccd77790627777c2f1270bd32fba8932cfc2941679843d6f5f8f37e172b3c3
                                                          • Instruction Fuzzy Hash: F161C87060DA865FD786DB78C4156AD7FD2EF8B230B5845EDE48BC71A3C96C888B8701
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2544285910.00007FFB11CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11CD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11cd0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1c96d45efa36c1d4e840363af88ac6c9fd80f307cdb3b15066f9ce13f18ff15b
                                                          • Instruction ID: 7b4b9022a444cb01ab2121a3cce6cbab863febb60b9ac2438b7c73c2dc018a7d
                                                          • Opcode Fuzzy Hash: 1c96d45efa36c1d4e840363af88ac6c9fd80f307cdb3b15066f9ce13f18ff15b
                                                          • Instruction Fuzzy Hash: 81510433A1872A9FEB11FA3CF8422E5B7D1DF153B4B04407BD189DB292DA25A852D7C0
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cdee9689a5ce7b6b80b30ebaedbfca8ecd0fd0f07f2a655da983ed680f9c0a10
                                                          • Instruction ID: 5f583b798392fb9ba8265f8982821256ede2d4304d782281565b9b24ab8b867f
                                                          • Opcode Fuzzy Hash: cdee9689a5ce7b6b80b30ebaedbfca8ecd0fd0f07f2a655da983ed680f9c0a10
                                                          • Instruction Fuzzy Hash: E7518670648E865FD785DB7CC414AA97BD2EF8F130B98D6A9E089C71A7C63C884B8701
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1230e33ded8f22d28d632eeb076b9b1226dcf500d7db263748d04b1cd1810b09
                                                          • Instruction ID: 893a32c267014a15b0bb1fee2c3bcc120c7d0d93bcf9edf8f0a021fe77933e05
                                                          • Opcode Fuzzy Hash: 1230e33ded8f22d28d632eeb076b9b1226dcf500d7db263748d04b1cd1810b09
                                                          • Instruction Fuzzy Hash: 7551A7B0A1DB864FD315EB34C81522AB7E6EF8A215B1585FED08AC7293DE39D846C301
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 244ce9a825ea495f9e5ed43b8f2512f3d6517fdb4e3e150f3c2a25af2f155d52
                                                          • Instruction ID: 9f9afc0528f249c914fd4439476e82150c279d1f35812252cf14484b2bf7dd79
                                                          • Opcode Fuzzy Hash: 244ce9a825ea495f9e5ed43b8f2512f3d6517fdb4e3e150f3c2a25af2f155d52
                                                          • Instruction Fuzzy Hash: 3951967064D7869FD346DB78C4146697FE2EF8A234B1981FEC08ACB2A3DA2C48478741
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ae9d0b15970fdb854dcadb9d3a6136e49bb59849c54086ada7c8f49fde247d75
                                                          • Instruction ID: dd1516f4e4bc372cb84664a970892ed9e24be6fdc984143dea1c8c5275002c2d
                                                          • Opcode Fuzzy Hash: ae9d0b15970fdb854dcadb9d3a6136e49bb59849c54086ada7c8f49fde247d75
                                                          • Instruction Fuzzy Hash: AF410670A1CE464FE754EB3CC40566A7BD2EF8A334B5847BDD09AC32D2DA2C98874341
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7d6b6fcc5d12e13af18e923f38fc2a9e4afe1960bbf4b8035d367d019f529a6d
                                                          • Instruction ID: ce1146bc7631635aa2f95e6f6dc4fbe4d7b6a06cd1066a7402c4a6acc82a099e
                                                          • Opcode Fuzzy Hash: 7d6b6fcc5d12e13af18e923f38fc2a9e4afe1960bbf4b8035d367d019f529a6d
                                                          • Instruction Fuzzy Hash: 2341087161CA854FE755DB38C405679BBD2EF86334B4986BED09AC71D3CE29D44B8340
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 89087485c0eeccf053542f9f82998562ea02aa245da8dc28fe120397181d3436
                                                          • Instruction ID: 3ebb9037a051a15cce47087a0d71c28f1846d50446b3ee0e42572b63031ea037
                                                          • Opcode Fuzzy Hash: 89087485c0eeccf053542f9f82998562ea02aa245da8dc28fe120397181d3436
                                                          • Instruction Fuzzy Hash: 9B4121B0A18A494FD758EB38801137AB6D6FF89315F5085BDE04EC3397DE3D88469701
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 16ed534e3097983dff86a9c0a6fafd56a5676c81dd8660b405a2f124e477ad23
                                                          • Instruction ID: 3b99b22ac6d44c61d0482bf64f915d4b695d7b6d9127d5fbf5bcb749f6ff6221
                                                          • Opcode Fuzzy Hash: 16ed534e3097983dff86a9c0a6fafd56a5676c81dd8660b405a2f124e477ad23
                                                          • Instruction Fuzzy Hash: DA4111B0A18A4A4FD759EB38801537AB6D6FF89315F5086BDE04EC3397DE3D88469701
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2507cc2ccd961ee00071bc6097f4c5d77984aa10e6478b9c06f446f166f9ba37
                                                          • Instruction ID: 8dc62daeeab382b33d9accb99aabcae61dcfa846d4471ced79d72cfd57ba6ef4
                                                          • Opcode Fuzzy Hash: 2507cc2ccd961ee00071bc6097f4c5d77984aa10e6478b9c06f446f166f9ba37
                                                          • Instruction Fuzzy Hash: 9551867064DB865FD386DB78C4156697BE2EF8B23471981FED08AC72A3DA2C48478705
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e76ec711f0566bd874901cce2a5ee2496d081e5f149fc5d665ba587d24a42d87
                                                          • Instruction ID: 38cc2872fe4a86876dc0c9973c59ba110da7ae3317d4d11f75b5fd427992c451
                                                          • Opcode Fuzzy Hash: e76ec711f0566bd874901cce2a5ee2496d081e5f149fc5d665ba587d24a42d87
                                                          • Instruction Fuzzy Hash: AC41D670A1CE864FD758DB78C4155BA7BD2EF8623574986BAD0AAC72D3DA2CC8478340
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b8eaca7e9e3c0cbd0800eea1c48ceeb268f572ba6abda5b52d4f87571aaf4883
                                                          • Instruction ID: 0d0dc54846f1676a2c9f7cd5316ab2722612e6648012d4e718312ca02c397a0f
                                                          • Opcode Fuzzy Hash: b8eaca7e9e3c0cbd0800eea1c48ceeb268f572ba6abda5b52d4f87571aaf4883
                                                          • Instruction Fuzzy Hash: 3041187061CE854FE759DB38C41557A7BD6EF8633475886BED0AAC7193DA2CC8478340
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 13f2fb4d0d9364988dc15f0fea7430a84cf53d0f7f1b420348b4c399e0d009e0
                                                          • Instruction ID: f6eee54a402b6c7093db7d26525df086f5e330021ce1b58e05b35a0674529cce
                                                          • Opcode Fuzzy Hash: 13f2fb4d0d9364988dc15f0fea7430a84cf53d0f7f1b420348b4c399e0d009e0
                                                          • Instruction Fuzzy Hash: E441D47070CA864FD789DB3CC0157A97BD2EF8A324B5486BDD08BC7293CA6C88878741
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 535eab8491b0380a82da20e5aa278b01b195ae36b61b67413f683d6e244fc0be
                                                          • Instruction ID: 851766cbf513a7399188eea2669eb5dfebe34e70dd1f73a49ecb040130f8afee
                                                          • Opcode Fuzzy Hash: 535eab8491b0380a82da20e5aa278b01b195ae36b61b67413f683d6e244fc0be
                                                          • Instruction Fuzzy Hash: 7141B770718A895FD789EB7884116697BD3EFCA324B5986BDD09AC3293DE3CC8478700
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 062a74e64f100e9a4e98e5d3eb2355812a923a851235ab9d790226dde191cb27
                                                          • Instruction ID: bad77677b98d2598f184c39c1a0524f8f9f2d8dc6b6376978971b7f74b128e4a
                                                          • Opcode Fuzzy Hash: 062a74e64f100e9a4e98e5d3eb2355812a923a851235ab9d790226dde191cb27
                                                          • Instruction Fuzzy Hash: 91314BB0A1CA854FD755DB78C815579BBD2EF8623474986BED0AAC32D3DA2CC8478340
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 435585d6fd8cd8e8efb17947f4fcb83997d82f445343016177ac02459bdaa094
                                                          • Instruction ID: c292cf81a1a88cddf8ace41c011f981aebed0bc4325ec3844725330e60a9c6bb
                                                          • Opcode Fuzzy Hash: 435585d6fd8cd8e8efb17947f4fcb83997d82f445343016177ac02459bdaa094
                                                          • Instruction Fuzzy Hash: F041F87061CA864FD759EF38C4116697BE2EF8B220B5985FDD08AC7293CA3C884B8740
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0b6b2a856ed5702ff449b3c059adc549e420b7557f4471b43b59d68a8f4e0b02
                                                          • Instruction ID: d9940ff272156a00d74242b9c66f294e6edad4688ea3893f8f715ca344c6f033
                                                          • Opcode Fuzzy Hash: 0b6b2a856ed5702ff449b3c059adc549e420b7557f4471b43b59d68a8f4e0b02
                                                          • Instruction Fuzzy Hash: CD31D770718E855FD788EB3884116797BD3EF8A22575586BD909AC3293DE3CC8474300
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9471497783284c1c5e18e675de4acf5ab88578748f8305adaed063e637a330b0
                                                          • Instruction ID: da49a2796a50d90e7187093fd08bee763947cc28bc6a8864315642fc1449fbe6
                                                          • Opcode Fuzzy Hash: 9471497783284c1c5e18e675de4acf5ab88578748f8305adaed063e637a330b0
                                                          • Instruction Fuzzy Hash: F031B57061CA895FD789EB38841166A7BD3EF8A224759C6BD909AC3293DE3CC8478300
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2534234852.00007FFB11900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11900000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ffb11900000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e522090d83dbd4867e17b496244ce3765beba4ad019c573d3fd86cff3d18b922
                                                          • Instruction ID: 8ecfbcb02a8d51f3011fd997e51f7c9821dd6040a3ada07398270c173a3524fa
                                                          • Opcode Fuzzy Hash: e522090d83dbd4867e17b496244ce3765beba4ad019c573d3fd86cff3d18b922
                                                          • Instruction Fuzzy Hash: A521A570618A8A4FD799DB3884116797BD3EFCA22575986BD909AC3293DE38C84B4340

                                                          Execution Graph

                                                          Execution Coverage:8.7%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:553
                                                          Total number of Limit Nodes:39
                                                          execution_graph 120435 8e8c378 120436 8e8c3ad 120435->120436 120437 8e8c3b6 120435->120437 120438 8e8c5f0 4 API calls 120436->120438 120439 8e8c5e1 4 API calls 120436->120439 120438->120437 120439->120437 120650 8e26940 120651 8e26944 120650->120651 120656 8e269d2 120651->120656 120660 8e26a90 120651->120660 120665 8e269c9 120651->120665 120652 8e2699e 120652->120652 120658 8e269dc 120656->120658 120657 8e269f6 120657->120652 120658->120657 120669 8e8b760 120658->120669 120661 8e26aac 120660->120661 120662 8e26be0 120660->120662 120663 8e26acb 120661->120663 120664 8e8b760 GetFileAttributesW 120661->120664 120663->120652 120664->120663 120666 8e269f0 120665->120666 120667 8e269f6 120666->120667 120668 8e8b760 GetFileAttributesW 120666->120668 120667->120652 120668->120667 120670 8e8b76e 120669->120670 120671 8e8b78b 120670->120671 120672 3364237 GetFileAttributesW 120670->120672 120673 3364248 GetFileAttributesW 120670->120673 120671->120657 120672->120671 120673->120671 120674 3369350 120675 3369378 120674->120675 120677 336c740 4 API calls 120675->120677 120678 336c72f 4 API calls 120675->120678 120676 336a6cc 120677->120676 120678->120676 120679 336dcd0 120680 336dd16 GetSystemInfo 120679->120680 120681 336dd46 120680->120681 120682 8afee18 120683 8afee4c 120682->120683 120685 8afee83 120683->120685 120689 8aff6f0 120683->120689 120694 8aff6df 120683->120694 120684 8aff2f3 120685->120684 120688 8b4450c 6 API calls 120685->120688 120688->120684 120690 8aff71d 120689->120690 120699 8aff7f0 120690->120699 120704 8aff7db 120690->120704 120691 8aff735 120691->120691 120695 8aff71d 120694->120695 120697 8aff7db 4 API calls 120695->120697 120698 8aff7f0 4 API calls 120695->120698 120696 8aff735 120696->120696 120697->120696 120698->120696 120700 8aff847 120699->120700 120701 8aff819 120699->120701 120700->120691 120701->120700 120702 336c740 4 API calls 120701->120702 120703 336c72f 4 API calls 120701->120703 120702->120700 120703->120700 120705 8aff847 120704->120705 120706 8aff819 120704->120706 120705->120691 120706->120705 120707 336c740 4 API calls 120706->120707 120708 336c72f 4 API calls 120706->120708 120707->120705 120708->120705 120280 8e7932f 120281 8e79392 120280->120281 120282 8e7934f 120280->120282 120282->120281 120285 8e8c5f0 120282->120285 120290 8e8c5e1 120282->120290 120286 8e8c615 120285->120286 120287 8e8c68c 120285->120287 120295 336c72f 120286->120295 120301 336c740 120286->120301 120287->120281 120291 8e8c615 120290->120291 120292 8e8c68c 120290->120292 120293 336c740 4 API calls 120291->120293 120294 336c72f 4 API calls 120291->120294 120292->120281 120293->120292 120294->120292 120296 336c6e5 120295->120296 120297 336c73e 120295->120297 120296->120287 120298 336c7e7 120297->120298 120306 336c950 120297->120306 120314 336c941 120297->120314 120298->120287 120302 336c763 120301->120302 120303 336c7e7 120302->120303 120304 336c950 4 API calls 120302->120304 120305 336c941 4 API calls 120302->120305 120303->120287 120304->120303 120305->120303 120307 336c964 120306->120307 120308 336c96b 120307->120308 120322 336cda0 120307->120322 120328 336ceca 120307->120328 120333 336cef8 120307->120333 120338 336cee1 120307->120338 120343 336cd8f 120307->120343 120308->120298 120321 336c964 120314->120321 120315 336c96b 120315->120298 120316 336cda0 4 API calls 120316->120315 120317 336cee1 4 API calls 120317->120315 120318 336cd8f 4 API calls 120318->120315 120319 336ceca 4 API calls 120319->120315 120320 336cef8 4 API calls 120320->120315 120321->120315 120321->120316 120321->120317 120321->120318 120321->120319 120321->120320 120325 336cdc4 120322->120325 120323 336ce14 120323->120308 120324 336cf78 120324->120324 120325->120323 120349 336d4d1 120325->120349 120354 336d4e0 120325->120354 120330 336ce47 120328->120330 120329 336cf78 120331 336d4e0 4 API calls 120330->120331 120332 336d4d1 4 API calls 120330->120332 120331->120329 120332->120329 120335 336ce47 120333->120335 120334 336cf78 120334->120334 120336 336d4e0 4 API calls 120335->120336 120337 336d4d1 4 API calls 120335->120337 120336->120334 120337->120334 120340 336ce47 120338->120340 120339 336cf78 120341 336d4e0 4 API calls 120340->120341 120342 336d4d1 4 API calls 120340->120342 120341->120339 120342->120339 120346 336cda0 120343->120346 120344 336ce14 120344->120308 120345 336cf78 120346->120344 120347 336d4e0 4 API calls 120346->120347 120348 336d4d1 4 API calls 120346->120348 120347->120345 120348->120345 120350 336d4e0 120349->120350 120358 336d500 120350->120358 120366 336d510 120350->120366 120356 336d510 3 API calls 120354->120356 120357 336d500 3 API calls 120354->120357 120355 336d4ee 120355->120324 120356->120355 120357->120355 120359 336d548 120358->120359 120374 336d140 120359->120374 120361 336d584 120362 336d14c ComputeAccessTokenFromCodeAuthzLevel 120361->120362 120363 336d5a3 120361->120363 120362->120363 120364 336d797 IdentifyCodeAuthzLevelW 120363->120364 120365 336d7e7 120364->120365 120365->120365 120367 336d548 120366->120367 120368 336d140 IdentifyCodeAuthzLevelW 120367->120368 120369 336d584 120368->120369 120372 336d5a3 120369->120372 120378 336d14c 120369->120378 120371 336d797 IdentifyCodeAuthzLevelW 120373 336d7e7 120371->120373 120372->120371 120376 336d6c0 IdentifyCodeAuthzLevelW 120374->120376 120377 336d7e7 120376->120377 120379 336d898 ComputeAccessTokenFromCodeAuthzLevel 120378->120379 120381 336d91d 120379->120381 120381->120372 120440 8aff0f6 120441 8aff0db 120440->120441 120442 8aff2f3 120441->120442 120444 8b4450c 120441->120444 120448 8b44a58 120444->120448 120453 8b44a68 120444->120453 120445 8b44519 120449 8b44a68 120448->120449 120450 8b44a84 120449->120450 120458 8b45283 120449->120458 120463 8b4521d 120449->120463 120450->120445 120454 8b44a7a 120453->120454 120455 8b44a84 120453->120455 120456 8b45283 6 API calls 120454->120456 120457 8b4521d 6 API calls 120454->120457 120455->120445 120456->120455 120457->120455 120459 8b4528b 120458->120459 120468 8b46438 120459->120468 120473 8b46448 120459->120473 120460 8b4528e 120460->120450 120465 8b45221 120463->120465 120464 8b4528e 120464->120450 120466 8b46438 6 API calls 120465->120466 120467 8b46448 6 API calls 120465->120467 120466->120464 120467->120464 120469 8b46448 120468->120469 120470 8b464ee 120469->120470 120479 8b47050 120469->120479 120488 8b47040 120469->120488 120470->120460 120474 8b466d3 120473->120474 120475 8b46471 120473->120475 120476 8b464ee 120475->120476 120477 8b47050 6 API calls 120475->120477 120478 8b47040 6 API calls 120475->120478 120476->120460 120477->120476 120478->120476 120480 8b47078 120479->120480 120482 8b471ee 120480->120482 120497 8b44fcc 120480->120497 120501 8b47868 120482->120501 120512 8b4785a 120482->120512 120523 8b47a11 120482->120523 120534 8b47aff 120482->120534 120491 8b47050 120488->120491 120489 8b471ee 120493 8b47a11 5 API calls 120489->120493 120494 8b47aff 5 API calls 120489->120494 120495 8b47868 5 API calls 120489->120495 120496 8b4785a 5 API calls 120489->120496 120490 8b44fcc SetThreadUILanguage 120490->120489 120491->120489 120491->120490 120492 8b47208 120492->120492 120493->120492 120494->120492 120495->120492 120496->120492 120498 8b47700 SetThreadUILanguage 120497->120498 120500 8b47771 120498->120500 120500->120482 120502 8b478a4 120501->120502 120540 8b48ca5 120502->120540 120544 8b48930 120502->120544 120548 8b48940 120502->120548 120552 8b48b07 120502->120552 120503 8b47af7 120556 8e2a5a0 120503->120556 120563 8e2a590 120503->120563 120570 8e2a6c0 120503->120570 120504 8b47e1b 120504->120504 120515 8b47868 120512->120515 120513 8b47af7 120520 8e2a5a0 5 API calls 120513->120520 120521 8e2a590 5 API calls 120513->120521 120522 8e2a6c0 5 API calls 120513->120522 120514 8b47e1b 120514->120514 120516 8b48ca5 GetFileAttributesW 120515->120516 120517 8b48b07 GetFileAttributesW 120515->120517 120518 8b48930 GetFileAttributesW 120515->120518 120519 8b48940 GetFileAttributesW 120515->120519 120516->120513 120517->120513 120518->120513 120519->120513 120520->120514 120521->120514 120522->120514 120524 8b47a1f 120523->120524 120530 8b48ca5 GetFileAttributesW 120524->120530 120531 8b48b07 GetFileAttributesW 120524->120531 120532 8b48930 GetFileAttributesW 120524->120532 120533 8b48940 GetFileAttributesW 120524->120533 120525 8b47af7 120527 8e2a5a0 5 API calls 120525->120527 120528 8e2a590 5 API calls 120525->120528 120529 8e2a6c0 5 API calls 120525->120529 120526 8b47e1b 120526->120526 120527->120526 120528->120526 120529->120526 120530->120525 120531->120525 120532->120525 120533->120525 120535 8b47b11 120534->120535 120537 8e2a5a0 5 API calls 120535->120537 120538 8e2a590 5 API calls 120535->120538 120539 8e2a6c0 5 API calls 120535->120539 120536 8b47e1b 120536->120536 120537->120536 120538->120536 120539->120536 120541 8b489b7 120540->120541 120542 8b48c90 120540->120542 120541->120542 120577 8b49218 120541->120577 120542->120503 120545 8b48940 120544->120545 120546 8b48c90 120545->120546 120547 8b49218 GetFileAttributesW 120545->120547 120546->120503 120547->120545 120549 8b48c90 120548->120549 120550 8b48969 120548->120550 120549->120503 120550->120549 120551 8b49218 GetFileAttributesW 120550->120551 120551->120550 120553 8b489b7 120552->120553 120554 8b48c90 120553->120554 120555 8b49218 GetFileAttributesW 120553->120555 120554->120503 120555->120553 120558 8e2a5a4 120556->120558 120557 8e2a5c8 120557->120504 120558->120504 120558->120557 120617 8e85f58 120558->120617 120622 8e85ff7 120558->120622 120627 8e85f68 120558->120627 120559 8e2a81b 120564 8e2a594 120563->120564 120564->120504 120565 8e2a5c8 120564->120565 120567 8e85f68 5 API calls 120564->120567 120568 8e85f58 5 API calls 120564->120568 120569 8e85ff7 5 API calls 120564->120569 120565->120504 120566 8e2a81b 120567->120566 120568->120566 120569->120566 120572 8e2a6c1 120570->120572 120571 8e2a9b2 120572->120571 120574 8e85f68 5 API calls 120572->120574 120575 8e85f58 5 API calls 120572->120575 120576 8e85ff7 5 API calls 120572->120576 120573 8e2a81b 120574->120573 120575->120573 120576->120573 120578 8b49257 120577->120578 120579 8b492f6 120577->120579 120578->120579 120583 8bc2760 120578->120583 120589 8bc27d2 120578->120589 120595 8bc274f 120578->120595 120579->120541 120584 8bc27e5 120583->120584 120585 8bc2789 120583->120585 120584->120579 120585->120584 120601 8bc2d48 120585->120601 120609 8bc2d20 120585->120609 120586 8bc28bf 120586->120579 120591 8bc27da 120589->120591 120590 8bc27e5 120590->120579 120591->120590 120593 8bc2d48 GetFileAttributesW 120591->120593 120594 8bc2d20 GetFileAttributesW 120591->120594 120592 8bc28bf 120592->120579 120593->120592 120594->120592 120596 8bc27e5 120595->120596 120597 8bc2789 120595->120597 120596->120579 120597->120596 120599 8bc2d48 GetFileAttributesW 120597->120599 120600 8bc2d20 GetFileAttributesW 120597->120600 120598 8bc28bf 120598->120579 120599->120598 120600->120598 120602 8bc2d57 120601->120602 120603 8bc2d74 120602->120603 120605 8e79580 GetFileAttributesW 120602->120605 120606 8e79590 GetFileAttributesW 120602->120606 120604 8bc2da5 120603->120604 120607 8bc2dd0 GetFileAttributesW 120603->120607 120608 8bc2dc2 GetFileAttributesW 120603->120608 120604->120586 120605->120603 120606->120603 120607->120604 120608->120604 120610 8bc2d48 120609->120610 120612 8bc2d74 120610->120612 120613 8e79580 GetFileAttributesW 120610->120613 120614 8e79590 GetFileAttributesW 120610->120614 120611 8bc2da5 120611->120586 120612->120611 120615 8bc2dd0 GetFileAttributesW 120612->120615 120616 8bc2dc2 GetFileAttributesW 120612->120616 120613->120612 120614->120612 120615->120611 120616->120611 120618 8e85f5c 120617->120618 120619 8e861f7 120618->120619 120632 8e8627c 120618->120632 120637 8e86288 120618->120637 120619->120559 120623 8e85f9d 120622->120623 120624 8e861f7 120623->120624 120625 8e86288 5 API calls 120623->120625 120626 8e8627c 5 API calls 120623->120626 120624->120559 120625->120623 120626->120623 120628 8e861f7 120627->120628 120629 8e85f93 120627->120629 120628->120559 120629->120628 120630 8e86288 5 API calls 120629->120630 120631 8e8627c 5 API calls 120629->120631 120630->120629 120631->120629 120633 8e86280 120632->120633 120642 8e863fe 120633->120642 120646 8e86400 120633->120646 120638 8e8628c 120637->120638 120640 8e863fe 5 API calls 120638->120640 120641 8e86400 5 API calls 120638->120641 120639 8e86345 120640->120639 120641->120639 120643 8e86400 120642->120643 120644 8e86423 120643->120644 120645 8e86922 GetFileAttributesW IdentifyCodeAuthzLevelW ComputeAccessTokenFromCodeAuthzLevel IdentifyCodeAuthzLevelW IdentifyCodeAuthzLevelW 120643->120645 120645->120644 120647 8e8643b 120646->120647 120648 8e86423 120646->120648 120647->120648 120649 8e86922 GetFileAttributesW IdentifyCodeAuthzLevelW ComputeAccessTokenFromCodeAuthzLevel IdentifyCodeAuthzLevelW IdentifyCodeAuthzLevelW 120647->120649 120649->120648 120709 8b46c08 120710 8b46c14 120709->120710 120711 8b46c36 120709->120711 120710->120711 120712 8b47050 6 API calls 120710->120712 120713 8b47040 6 API calls 120710->120713 120712->120710 120713->120710 120382 3362178 120383 336218a 120382->120383 120387 3364237 120383->120387 120392 3364248 120383->120392 120384 33621ba 120388 3364248 120387->120388 120389 3364277 120388->120389 120397 3364368 120388->120397 120402 3364378 120388->120402 120389->120384 120393 3364252 120392->120393 120394 3364277 120393->120394 120395 3364378 GetFileAttributesW 120393->120395 120396 3364368 GetFileAttributesW 120393->120396 120394->120384 120395->120394 120396->120394 120398 3364378 120397->120398 120407 33643e0 120398->120407 120413 33643f0 120398->120413 120399 33643a9 120399->120389 120403 336438b 120402->120403 120405 33643f0 GetFileAttributesW 120403->120405 120406 33643e0 GetFileAttributesW 120403->120406 120404 33643a9 120404->120389 120405->120404 120406->120404 120408 3364405 120407->120408 120410 336450d 120408->120410 120419 3365150 120408->120419 120409 33644cb 120409->120410 120412 3365150 GetFileAttributesW 120409->120412 120410->120399 120412->120410 120414 3364405 120413->120414 120416 336450d 120414->120416 120417 3365150 GetFileAttributesW 120414->120417 120415 33644cb 120415->120416 120418 3365150 GetFileAttributesW 120415->120418 120416->120399 120417->120415 120418->120416 120424 3365150 GetFileAttributesW 120419->120424 120426 33651b0 120419->120426 120420 336517a 120421 3365180 120420->120421 120431 3364714 120420->120431 120421->120409 120424->120420 120428 33651c8 120426->120428 120427 33651dd 120427->120420 120428->120427 120429 3364714 GetFileAttributesW 120428->120429 120430 336520e 120429->120430 120430->120420 120432 33655f8 GetFileAttributesW 120431->120432 120434 336520e 120432->120434 120434->120409 120714 8afb051 120715 8afb059 120714->120715 120721 8b5fcca 120715->120721 120730 8b5fb8f 120715->120730 120738 8b5fac8 120715->120738 120746 8b5fa62 120715->120746 120716 8afb0ca 120723 8b5fbee 120721->120723 120724 8b5fccf 120721->120724 120722 8b5fc77 120722->120716 120723->120722 120754 8af121d 120723->120754 120759 8af1324 120723->120759 120764 8af0f81 120723->120764 120769 8af0de9 120723->120769 120778 8af1094 120723->120778 120724->120724 120731 8b5fb94 120730->120731 120732 8b5fc77 120731->120732 120733 8af121d GetFileAttributesW 120731->120733 120734 8af0de9 GetFileAttributesW 120731->120734 120735 8af1094 GetFileAttributesW 120731->120735 120736 8af1324 GetFileAttributesW 120731->120736 120737 8af0f81 GetFileAttributesW 120731->120737 120732->120716 120733->120732 120734->120732 120735->120732 120736->120732 120737->120732 120739 8b5faf9 120738->120739 120740 8b5fc77 120739->120740 120741 8af121d GetFileAttributesW 120739->120741 120742 8af0de9 GetFileAttributesW 120739->120742 120743 8af1094 GetFileAttributesW 120739->120743 120744 8af1324 GetFileAttributesW 120739->120744 120745 8af0f81 GetFileAttributesW 120739->120745 120740->120716 120741->120740 120742->120740 120743->120740 120744->120740 120745->120740 120748 8b5fa85 120746->120748 120747 8b5fc77 120747->120716 120748->120747 120749 8af121d GetFileAttributesW 120748->120749 120750 8af0de9 GetFileAttributesW 120748->120750 120751 8af1094 GetFileAttributesW 120748->120751 120752 8af1324 GetFileAttributesW 120748->120752 120753 8af0f81 GetFileAttributesW 120748->120753 120749->120747 120750->120747 120751->120747 120752->120747 120753->120747 120755 8af122c 120754->120755 120783 8af85c8 120755->120783 120787 8af85a0 120755->120787 120756 8af125c 120760 8af0fe7 120759->120760 120761 8af1047 120760->120761 120837 8af6e10 120760->120837 120854 8af6e01 120760->120854 120761->120722 120765 8af0f86 120764->120765 120766 8af1047 120765->120766 120767 8af6e01 GetFileAttributesW 120765->120767 120768 8af6e10 GetFileAttributesW 120765->120768 120766->120722 120767->120766 120768->120766 120770 8af0e04 120769->120770 120774 8af1db8 GetFileAttributesW 120770->120774 120934 8af1dae 120770->120934 120938 8af1ec1 120770->120938 120771 8af0f7c 120772 8af1047 120771->120772 120776 8af6e01 GetFileAttributesW 120771->120776 120777 8af6e10 GetFileAttributesW 120771->120777 120772->120722 120774->120771 120776->120772 120777->120772 120779 8af109c 120778->120779 120781 8af6e01 GetFileAttributesW 120779->120781 120782 8af6e10 GetFileAttributesW 120779->120782 120780 8af1110 120780->120722 120781->120780 120782->120780 120784 8af85f0 120783->120784 120786 8af8783 120784->120786 120791 8af1db8 120784->120791 120786->120756 120789 8af85f0 120787->120789 120788 8af8783 120788->120756 120789->120788 120790 8af1db8 GetFileAttributesW 120789->120790 120790->120788 120792 8af1de7 120791->120792 120793 8af1ea3 120791->120793 120792->120793 120795 8af2428 120792->120795 120793->120786 120796 8af2473 120795->120796 120797 8af2644 120796->120797 120799 8af5f92 120796->120799 120797->120793 120800 8af5fc6 120799->120800 120801 8af6069 120800->120801 120804 8af6548 120800->120804 120811 8af64b8 120800->120811 120805 8af655f 120804->120805 120806 8af6567 120804->120806 120805->120801 120807 8af6658 120806->120807 120817 8af6720 120806->120817 120821 8af6710 120806->120821 120807->120801 120808 8af66ed 120808->120801 120813 8af64c3 120811->120813 120812 8af64d9 120812->120801 120813->120812 120815 8af6720 GetFileAttributesW 120813->120815 120816 8af6710 GetFileAttributesW 120813->120816 120814 8af66ed 120814->120801 120815->120814 120816->120814 120825 8af6760 120817->120825 120831 8af6770 120817->120831 120818 8af673e 120818->120808 120822 8af673e 120821->120822 120823 8af6760 GetFileAttributesW 120821->120823 120824 8af6770 GetFileAttributesW 120821->120824 120822->120808 120823->120822 120824->120822 120826 8af679b 120825->120826 120828 8af6a4c 120826->120828 120829 3365150 GetFileAttributesW 120826->120829 120830 33651b0 GetFileAttributesW 120826->120830 120827 8af67df 120827->120818 120829->120827 120830->120827 120832 8af679b 120831->120832 120833 8af6a4c 120832->120833 120835 3365150 GetFileAttributesW 120832->120835 120836 33651b0 GetFileAttributesW 120832->120836 120834 8af67df 120834->120818 120835->120834 120836->120834 120839 8af6e93 120837->120839 120840 8af6e35 120837->120840 120838 8af71f9 120847 8af6e01 GetFileAttributesW 120838->120847 120848 8af6e10 GetFileAttributesW 120838->120848 120849 8af71c0 GetFileAttributesW 120838->120849 120884 8af721a 120838->120884 120890 8af72b0 120838->120890 120839->120838 120841 8af7276 120839->120841 120840->120839 120851 8af6e01 GetFileAttributesW 120840->120851 120852 8af6e10 GetFileAttributesW 120840->120852 120871 8af71c0 120840->120871 120842 8af7215 120841->120842 120896 8af7880 120841->120896 120901 8af7890 120841->120901 120842->120761 120843 8af7363 120843->120761 120847->120842 120848->120842 120849->120842 120851->120839 120852->120839 120856 8af6e93 120854->120856 120857 8af6e35 120854->120857 120855 8af71f9 120863 8af721a GetFileAttributesW 120855->120863 120864 8af6e01 GetFileAttributesW 120855->120864 120865 8af6e10 GetFileAttributesW 120855->120865 120866 8af71c0 GetFileAttributesW 120855->120866 120867 8af72b0 GetFileAttributesW 120855->120867 120856->120855 120858 8af7276 120856->120858 120857->120856 120868 8af6e01 GetFileAttributesW 120857->120868 120869 8af6e10 GetFileAttributesW 120857->120869 120870 8af71c0 GetFileAttributesW 120857->120870 120859 8af7215 120858->120859 120861 8af7880 GetFileAttributesW 120858->120861 120862 8af7890 GetFileAttributesW 120858->120862 120859->120761 120860 8af7363 120860->120761 120861->120860 120862->120860 120863->120859 120864->120859 120865->120859 120866->120859 120867->120859 120868->120856 120869->120856 120870->120856 120872 8af71e0 120871->120872 120873 8af71f9 120872->120873 120874 8af7276 120872->120874 120877 8af721a GetFileAttributesW 120873->120877 120878 8af6e01 GetFileAttributesW 120873->120878 120879 8af6e10 GetFileAttributesW 120873->120879 120880 8af71c0 GetFileAttributesW 120873->120880 120881 8af72b0 GetFileAttributesW 120873->120881 120875 8af7215 120874->120875 120882 8af7880 GetFileAttributesW 120874->120882 120883 8af7890 GetFileAttributesW 120874->120883 120875->120839 120876 8af7363 120876->120839 120877->120875 120878->120875 120879->120875 120880->120875 120881->120875 120882->120876 120883->120876 120885 8af721f 120884->120885 120886 8af7286 120885->120886 120888 8af7880 GetFileAttributesW 120885->120888 120889 8af7890 GetFileAttributesW 120885->120889 120886->120842 120887 8af7363 120887->120842 120888->120887 120889->120887 120891 8af72d6 120890->120891 120892 8af76e8 120891->120892 120894 8af7880 GetFileAttributesW 120891->120894 120895 8af7890 GetFileAttributesW 120891->120895 120892->120842 120893 8af7363 120893->120842 120894->120893 120895->120893 120897 8af78b7 120896->120897 120898 8af78bd 120896->120898 120897->120898 120906 8af8120 120897->120906 120916 8af8110 120897->120916 120898->120843 120902 8af78b7 120901->120902 120903 8af78bd 120901->120903 120902->120903 120904 8af8120 GetFileAttributesW 120902->120904 120905 8af8110 GetFileAttributesW 120902->120905 120903->120843 120904->120903 120905->120903 120908 8af813d 120906->120908 120907 8af8298 120907->120898 120908->120907 120909 8af8375 120908->120909 120913 3365150 GetFileAttributesW 120908->120913 120914 8af8120 GetFileAttributesW 120908->120914 120915 8af8110 GetFileAttributesW 120908->120915 120926 8af84c0 120909->120926 120930 8af84b0 120909->120930 120910 8af845c 120910->120898 120913->120908 120914->120908 120915->120908 120918 8af813d 120916->120918 120917 8af8298 120917->120898 120918->120917 120919 8af8375 120918->120919 120921 3365150 GetFileAttributesW 120918->120921 120922 8af8120 GetFileAttributesW 120918->120922 120923 8af8110 GetFileAttributesW 120918->120923 120924 8af84b0 GetFileAttributesW 120919->120924 120925 8af84c0 GetFileAttributesW 120919->120925 120920 8af845c 120920->120898 120921->120918 120922->120918 120923->120918 120924->120920 120925->120920 120927 8af84da 120926->120927 120928 3365150 GetFileAttributesW 120926->120928 120929 33651b0 GetFileAttributesW 120926->120929 120927->120910 120928->120927 120929->120927 120932 3365150 GetFileAttributesW 120930->120932 120933 33651b0 GetFileAttributesW 120930->120933 120931 8af84da 120931->120910 120932->120931 120933->120931 120935 8af1db0 120934->120935 120936 8af1ea3 120935->120936 120937 8af2428 GetFileAttributesW 120935->120937 120936->120771 120937->120936 120939 8af1e7e 120938->120939 120940 8af1ea3 120938->120940 120939->120940 120941 8af2428 GetFileAttributesW 120939->120941 120940->120771 120941->120940

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 407 8e71880-8e718fd 414 8e71900-8e7190e 407->414 416 8e71910-8e7191a 414->416 417 8e7191c-8e71925 414->417 416->417 418 8e719ec-8e719f3 417->418 419 8e7192b-8e7195b 417->419 578 8e719f5 call 8b4c170 418->578 579 8e719f5 call 8b4c11d 418->579 580 8e719f5 call 8b4c2d9 418->580 432 8e71973-8e719e7 419->432 433 8e7195d-8e71963 419->433 424 8e719fa-8e719ff 425 8e71aa5-8e71aa7 424->425 426 8e71a05-8e71a29 424->426 429 8e71aaf-8e71abd 425->429 444 8e71a41-8e71a92 426->444 445 8e71a2b-8e71a31 426->445 435 8e71abf-8e71ac9 429->435 436 8e71acb-8e71ad4 429->436 490 8e71e45-8e71e4c 432->490 437 8e71967-8e71969 433->437 438 8e71965 433->438 435->436 439 8e71baa-8e71bb1 436->439 440 8e71ada-8e71af1 436->440 437->432 438->432 574 8e71bb3 call 8bcfc50 439->574 575 8e71bb3 call 8bcfc40 439->575 455 8e71af7-8e71b16 440->455 456 8e71b74-8e71ba5 440->456 493 8e71e4d-8e71e64 444->493 494 8e71a98-8e71aa3 444->494 448 8e71a35-8e71a37 445->448 449 8e71a33 445->449 448->444 449->444 454 8e71bb8-8e71bbd 457 8e71bc3-8e71be2 454->457 458 8e71c72-8e71cb6 454->458 473 8e71b2e-8e71b6c 455->473 474 8e71b18-8e71b1e 455->474 456->490 475 8e71be4-8e71bea 457->475 476 8e71bfa-8e71c6d 457->476 502 8e71cc4-8e71cc8 458->502 503 8e71cb8-8e71cc2 458->503 473->456 482 8e71b22-8e71b24 474->482 483 8e71b20 474->483 477 8e71bee-8e71bf0 475->477 478 8e71bec 475->478 476->490 477->476 478->476 482->473 483->473 510 8e71e6b-8e71ea6 493->510 494->429 507 8e71cd2-8e71cdc 502->507 508 8e71cca 502->508 503->502 511 8e71cde-8e71ce3 507->511 512 8e71ce8-8e71cef 507->512 508->507 521 8e71eb0-8e71ebc 510->521 522 8e71ea8-8e71eae 510->522 511->414 514 8e71cf5-8e71d01 512->514 515 8e71dce-8e71dd2 512->515 576 8e71d03 call 8bcfc50 514->576 577 8e71d03 call 8bcfc40 514->577 517 8e71dd4-8e71dde 515->517 518 8e71e11-8e71e14 515->518 524 8e71de0-8e71de5 517->524 525 8e71ded-8e71df6 517->525 520 8e71e17-8e71e43 518->520 520->490 533 8e71ebe-8e71ecc 521->533 534 8e71f29-8e71f71 521->534 522->521 524->525 525->510 526 8e71df8-8e71e0f 525->526 526->520 530 8e71d08-8e71d0d 530->515 535 8e71d13-8e71d38 530->535 533->534 542 8e71ece-8e71f0b 533->542 555 8e71f73-8e71f9e 534->555 556 8e71fa0-8e71fa5 534->556 549 8e71d50-8e71dcc 535->549 550 8e71d3a-8e71d40 535->550 564 8e71f22-8e71f26 542->564 565 8e71f0d-8e71f1a 542->565 549->490 552 8e71d44-8e71d46 550->552 553 8e71d42 550->553 552->549 553->549 555->556 565->564 574->454 575->454 576->530 577->530 578->424 579->424 580->424
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ^Et$^Et$^Et$^Et$^Et$k
                                                          • API String ID: 0-1005809038
                                                          • Opcode ID: fe994afaf290d5eee522d451f7ec834b3543d0d917c0a6bcf372c78b95d1aeda
                                                          • Instruction ID: 675480b51d4b2177c5efab978020f4a45da23a58b181b222e58c90b2c81d3605
                                                          • Opcode Fuzzy Hash: fe994afaf290d5eee522d451f7ec834b3543d0d917c0a6bcf372c78b95d1aeda
                                                          • Instruction Fuzzy Hash: 5C226B35B006059FDB19EBB5C854AAEBBB2EFC8212B14842DD506EB350DF34ED06CB95

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 702 8bc7920-8bc7952 704 8bc7954-8bc7983 702->704 705 8bc7986-8bc7990 702->705 706 8bc7cb6-8bc7cd4 705->706 707 8bc7996-8bc7b45 705->707 709 8bc7dc9-8bc7df6 706->709 710 8bc7cda-8bc7dc2 706->710 840 8bc7b4b-8bc7b5f 707->840 841 8bc7bd5-8bc7cb1 707->841 719 8bc7dfc-8bc7e25 709->719 720 8bc7eb5-8bc7f06 709->720 710->709 908 8bc7e2b call 8bc791a 719->908 909 8bc7e2b call 8bc7920 719->909 741 8bc7f0c-8bc7f28 720->741 742 8bc7fa0-8bc805a 720->742 735 8bc7e31-8bc7eb0 778 8bc821f-8bc8229 735->778 754 8bc83ae-8bc83d9 741->754 755 8bc7f2e-8bc7f9a 741->755 844 8bc805c-8bc8065 742->844 845 8bc80c7-8bc81f8 742->845 912 8bc83dc call 8e75fe2 754->912 913 8bc83dc call 8e75f20 754->913 914 8bc83dc call 8e76010 754->914 915 8bc83dc call 8e76fa0 754->915 916 8bc83dc call 8e76f80 754->916 917 8bc83dc call 8e76f90 754->917 918 8bc83dc call 8e7ad70 754->918 919 8bc83dc call 8bc1be0 754->919 920 8bc83dc call 8bc1bd0 754->920 921 8bc83dc call 8e7604a 754->921 922 8bc83dc call 8bc1ba2 754->922 755->741 755->742 767 8bc83df-8bc83e1 770 8bc83f9-8bc8414 767->770 771 8bc83e3-8bc83e9 767->771 791 8bc8416-8bc8425 770->791 792 8bc8470-8bc847e 770->792 774 8bc83ed-8bc83ef 771->774 775 8bc83eb 771->775 774->770 775->770 780 8bc822f-8bc8282 778->780 781 8bc8395-8bc8399 778->781 827 8bc8284-8bc82aa 780->827 828 8bc82b1-8bc838e 780->828 786 8bc839b-8bc83a1 781->786 787 8bc83a4-8bc83ab 781->787 786->787 799 8bc842b-8bc8447 791->799 800 8bc8504-8bc8508 791->800 792->800 802 8bc8484-8bc8495 792->802 799->800 816 8bc844d-8bc846d 799->816 809 8bc8497-8bc84b3 802->809 825 8bc84e8-8bc84fd 809->825 826 8bc84b5-8bc84b7 809->826 825->800 826->800 830 8bc84b9-8bc84c8 826->830 827->828 828->781 830->800 843 8bc84ca-8bc84e6 830->843 851 8bc7b6f-8bc7b7b 840->851 852 8bc7b61-8bc7b6d 840->852 841->709 843->800 843->825 844->754 846 8bc806b-8bc80ad 844->846 845->754 906 8bc81fe-8bc8217 845->906 910 8bc80b3 call 8bc791a 846->910 911 8bc80b3 call 8bc7920 846->911 855 8bc7b87-8bc7bcf 851->855 852->855 855->840 855->841 885 8bc80b9-8bc80c5 885->844 885->845 906->778 908->735 909->735 910->885 911->885 912->767 913->767 914->767 915->767 916->767 917->767 918->767 919->767 920->767 921->767 922->767
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: "Et$"Et$Ld>t$Ld>t$fBKt
                                                          • API String ID: 0-2491967400
                                                          • Opcode ID: e263040a01b4cef5f412d7205eafdc7ce1eda710f9c4a02ad3a9bf0147e9c7d4
                                                          • Instruction ID: 4a91ce6016b7f74291e77866443d4d946f730aa6d90538757d4efe80faabee82
                                                          • Opcode Fuzzy Hash: e263040a01b4cef5f412d7205eafdc7ce1eda710f9c4a02ad3a9bf0147e9c7d4
                                                          • Instruction Fuzzy Hash: 8462F574B00215CFDB54DB64D894BAEB7B2EF88301F1085A9D50AAB395DF31AD86CF50

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1365 8e72ee8-8e72f25 1370 8e72f28 1365->1370 1479 8e72f2a call 8e72ee8 1370->1479 1480 8e72f2a call 8e72ed8 1370->1480 1371 8e72f30-8e72f32 1372 8e72fc7-8e72fde 1371->1372 1373 8e72f38-8e72f3a 1371->1373 1379 8e72fe0-8e72fea 1372->1379 1380 8e72fec-8e72ff0 1372->1380 1374 8e72f40-8e72f5e 1373->1374 1375 8e7300c-8e73015 1373->1375 1387 8e72f76-8e72fb4 1374->1387 1388 8e72f60-8e72f66 1374->1388 1379->1380 1382 8e72ff2 1380->1382 1383 8e72ffa-8e73000 1380->1383 1382->1383 1383->1375 1385 8e73002-8e73007 1383->1385 1385->1370 1394 8e73016-8e73028 1387->1394 1395 8e72fb6-8e72fc5 1387->1395 1389 8e72f6a-8e72f6c 1388->1389 1390 8e72f68 1388->1390 1389->1387 1390->1387 1398 8e73072 1394->1398 1399 8e7302a-8e7306e 1394->1399 1395->1375 1400 8e73074-8e7307b 1398->1400 1401 8e730c3-8e730db 1398->1401 1399->1398 1400->1401 1402 8e7307d-8e7309e 1400->1402 1481 8e730dd call 8b4a9a8 1401->1481 1482 8e730dd call 8b4a998 1401->1482 1405 8e730a4-8e730ac 1402->1405 1406 8e7341b 1402->1406 1405->1401 1408 8e730ae-8e730bc 1405->1408 1409 8e73420-8e73433 1406->1409 1407 8e730e2-8e730fb 1413 8e73301-8e73307 1407->1413 1414 8e73101-8e73105 1407->1414 1408->1401 1416 8e7330b-8e73317 1413->1416 1417 8e73309 1413->1417 1414->1413 1415 8e7310b-8e7311a 1414->1415 1421 8e732e4-8e732fc 1415->1421 1422 8e73120-8e7314a 1415->1422 1418 8e73319-8e73332 1416->1418 1417->1418 1426 8e733e8-8e733fb 1418->1426 1427 8e73338-8e73354 1418->1427 1421->1409 1434 8e73162-8e731c2 1422->1434 1435 8e7314c-8e73152 1422->1435 1426->1409 1427->1426 1433 8e7335a-8e73377 1427->1433 1443 8e7338f-8e733d7 1433->1443 1444 8e73379-8e7337f 1433->1444 1434->1406 1454 8e731c8-8e731e5 1434->1454 1436 8e73156-8e73158 1435->1436 1437 8e73154 1435->1437 1436->1434 1437->1434 1443->1406 1456 8e733d9-8e733df 1443->1456 1446 8e73383-8e73385 1444->1446 1447 8e73381 1444->1447 1446->1443 1447->1443 1458 8e731e7-8e731ec 1454->1458 1459 8e731f4-8e731fe 1454->1459 1456->1426 1458->1459 1459->1406 1460 8e73204-8e73214 1459->1460 1461 8e73216-8e7321b 1460->1461 1462 8e73223-8e7322c 1460->1462 1461->1462 1462->1406 1463 8e73232-8e73265 1462->1463 1467 8e73267-8e73277 1463->1467 1468 8e73279 1463->1468 1469 8e7327e-8e73280 1467->1469 1468->1469 1470 8e73286-8e732df 1469->1470 1471 8e733fd-8e73414 1469->1471 1470->1409 1471->1406 1479->1371 1480->1371 1481->1407 1482->1407
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ^Et$^Et$^Et
                                                          • API String ID: 0-4041598077
                                                          • Opcode ID: 11b43010e2791e2d200de307802b2117ca54f825e54f92173ef5800b5cb800c7
                                                          • Instruction ID: c1b2722f96f9e2876b0ba48bead090f44404416c1e31e8ea1fe56927b400d31c
                                                          • Opcode Fuzzy Hash: 11b43010e2791e2d200de307802b2117ca54f825e54f92173ef5800b5cb800c7
                                                          • Instruction Fuzzy Hash: 15E17B35B002049FDB58DBA8C494AAEBBF2AF88311F55D46DD406AB3A1DF34EC46DB50
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ^Et$^Et
                                                          • API String ID: 0-947825624
                                                          • Opcode ID: da791207c03e6fe2b8c13f9b6869bd1c28f4ce6e5980793a929b4b32b15a2a46
                                                          • Instruction ID: 7ae08d065db9a91f4c9a4d1e81ce90a1ef94a08535f551430f1c378b96577556
                                                          • Opcode Fuzzy Hash: da791207c03e6fe2b8c13f9b6869bd1c28f4ce6e5980793a929b4b32b15a2a46
                                                          • Instruction Fuzzy Hash: DDA1CF75A01304AFDB15DBB4C854AAE7BB2EF88311F1585A9D406EB391DF35DC42CBA0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: #
                                                          • API String ID: 0-1885708031
                                                          • Opcode ID: ee452a1f036cea109ca498f430c7d2da713b964d586c65cf3f5543d4bb497e2a
                                                          • Instruction ID: ccd5660d2ab3931037004d4d45a5e202efbdafdc7d40701e6ebe97a044549961
                                                          • Opcode Fuzzy Hash: ee452a1f036cea109ca498f430c7d2da713b964d586c65cf3f5543d4bb497e2a
                                                          • Instruction Fuzzy Hash: 6782F635A01228CFDB65EF64C844BACBBB2FF48315F1480A9E84EAB351DB759981CF51
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2731096452.0000000008480000.00000040.00000800.00020000.00000000.sdmp, Offset: 08480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8480000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 09bfe2954a67202f3392bb1eb0bbf54bf865b766f0ce4f88855ee4da5a666164
                                                          • Instruction ID: d5d3a922f0d9a6e58497bd8693934743b3bd715196ac4cb36d53b673ef893d3a
                                                          • Opcode Fuzzy Hash: 09bfe2954a67202f3392bb1eb0bbf54bf865b766f0ce4f88855ee4da5a666164
                                                          • Instruction Fuzzy Hash: D5625D34A0020ACFDB14EF64C854BAEB7B2EF85301F5485B9D909AB390DB75ED46CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 82dc61e40733793f9cd8e8498c091c80a4f2566546cbeac4a58a957fbb50ab84
                                                          • Instruction ID: 79caa7ef16a1508b90300e000a01358fa63b2d7dc3c483b76c7f84579f45aa65
                                                          • Opcode Fuzzy Hash: 82dc61e40733793f9cd8e8498c091c80a4f2566546cbeac4a58a957fbb50ab84
                                                          • Instruction Fuzzy Hash: 96E16831A0030ADFDB24CFA4C540B9EBBB2FF85301F1585ADD409AB251DB75A986CF90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734696090.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b30000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 89d0a612bf0c69012f962381fc6e80e6eeb0aae1abd930e644ccddd3f01021e1
                                                          • Instruction ID: 3ea31beaed95b23962c69c1edf8b994df761b1956402090bfcd569de43303ebb
                                                          • Opcode Fuzzy Hash: 89d0a612bf0c69012f962381fc6e80e6eeb0aae1abd930e644ccddd3f01021e1
                                                          • Instruction Fuzzy Hash: 7AB18034B002149FDB25DB75DD90BAEBBB2EF89311F248469E505AF3A1DB71E842CB44

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 8bc8520-8bc85a7 8 8bc85cf-8bc85f1 0->8 9 8bc85a9-8bc85b8 0->9 15 8bc866b-8bc866f 8->15 16 8bc85f3-8bc8602 8->16 9->8 12 8bc85ba-8bc85c7 9->12 12->8 17 8bc8675-8bc8686 15->17 18 8bc86f6-8bc871c 15->18 16->15 20 8bc8604-8bc8615 16->20 23 8bc8688-8bc8699 17->23 24 8bc869b-8bc86ae 17->24 31 8bc871e-8bc875b 18->31 27 8bc8634-8bc863c 20->27 28 8bc8617-8bc862f 20->28 32 8bc86e0-8bc86f4 23->32 33 8bc86dd 24->33 34 8bc86b0-8bc86bb 24->34 140 8bc863f call 8e75d81 27->140 141 8bc863f call 8e75db0 27->141 51 8bc8ae3-8bc8af6 28->51 55 8bc875d-8bc877c 31->55 56 8bc87d2-8bc87f0 31->56 32->31 33->32 137 8bc86be call 8e765f1 34->137 138 8bc86be call 8e76620 34->138 139 8bc86be call 8e7662f 34->139 37 8bc8642-8bc8644 40 8bc865c-8bc8666 37->40 41 8bc8646-8bc864c 37->41 38 8bc86c1-8bc86c3 42 8bc86db 38->42 43 8bc86c5-8bc86cb 38->43 40->51 46 8bc864e 41->46 47 8bc8650-8bc8652 41->47 42->33 48 8bc86cd 43->48 49 8bc86cf-8bc86d1 43->49 46->40 47->40 48->42 49->42 64 8bc877e-8bc8784 55->64 65 8bc8794-8bc87d0 55->65 59 8bc882f-8bc883b 56->59 60 8bc87f2-8bc8806 56->60 68 8bc88c1-8bc88ce 59->68 69 8bc8841-8bc885d 59->69 66 8bc880f-8bc882d 60->66 67 8bc8808 60->67 70 8bc8788-8bc878a 64->70 71 8bc8786 64->71 65->55 65->56 66->59 67->66 73 8bc890d-8bc8919 68->73 74 8bc88d0-8bc88e4 68->74 80 8bc885f-8bc8876 69->80 81 8bc88a5-8bc88bc 69->81 70->65 71->65 85 8bc897d-8bc898c 73->85 86 8bc891b-8bc8928 73->86 82 8bc88ed-8bc890b 74->82 83 8bc88e6 74->83 92 8bc887f-8bc88a3 80->92 93 8bc8878 80->93 99 8bc8992-8bc8996 81->99 82->73 83->82 85->99 90 8bc892a-8bc893e 86->90 91 8bc8967-8bc897b 86->91 103 8bc8947-8bc8965 90->103 104 8bc8940 90->104 91->99 92->81 93->92 101 8bc89cd-8bc8a22 99->101 102 8bc8998-8bc89ca 99->102 122 8bc8a24-8bc8a3f 101->122 123 8bc8a41-8bc8a56 101->123 102->101 103->91 104->103 126 8bc8a5c-8bc8adc 122->126 123->126 126->51 137->38 138->38 139->38 140->37 141->37
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: "Et$"Et$Ld>t$Ld>t$Ld>t$Ld>t$Ld>t$Ld>t$#
                                                          • API String ID: 0-1510759556
                                                          • Opcode ID: 42d90b18539458a31cfd4b259fb71e02da55ebdc1c238b25849d93a1e6c9fa2b
                                                          • Instruction ID: a98c813f7c6ad8a032a7303cd2792622405f4a04ceb91541322d2ed6a6fc38ef
                                                          • Opcode Fuzzy Hash: 42d90b18539458a31cfd4b259fb71e02da55ebdc1c238b25849d93a1e6c9fa2b
                                                          • Instruction Fuzzy Hash: 14021734B00209DFDB14DBA9D994AAEB7F2EF88301B14846DD416AB395DF70EC42CB51

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 142 8eb3b20-8eb3b56 145 8eb3b5c-8eb3bbd 142->145 146 8eb3c06-8eb3c0f 142->146 188 8eb3bbf-8eb3bc5 145->188 189 8eb3bd5-8eb3c00 145->189 147 8eb3c3e-8eb3c44 146->147 148 8eb3c11-8eb3c24 146->148 150 8eb3cc1-8eb3cc8 147->150 151 8eb3c46-8eb3c4c 147->151 154 8eb3c3c 148->154 155 8eb3c26-8eb3c2c 148->155 153 8eb3c4f-8eb3c57 151->153 157 8eb3cc9-8eb3cf1 153->157 158 8eb3c59-8eb3c68 153->158 154->147 159 8eb3c2e 155->159 160 8eb3c30-8eb3c32 155->160 167 8eb3cf7-8eb3cf9 157->167 161 8eb3c6a-8eb3c84 158->161 162 8eb3c86-8eb3cbc 158->162 159->154 160->154 174 8eb3cbe-8eb3cbf 161->174 162->174 170 8eb3cfb-8eb3d01 167->170 171 8eb3d11-8eb3d22 167->171 175 8eb3d03 170->175 176 8eb3d05-8eb3d07 170->176 180 8eb3d4b-8eb3d64 171->180 181 8eb3d24-8eb3d3f 171->181 174->150 174->153 175->171 176->171 191 8eb3d66-8eb3d6d 180->191 195 8eb3d6e-8eb3d92 180->195 186 8eb3d93-8eb3dcc 181->186 187 8eb3d41-8eb3d49 181->187 204 8eb3dce-8eb3e20 186->204 205 8eb3e23-8eb3e6c 186->205 187->180 187->191 193 8eb3bc9-8eb3bcb 188->193 194 8eb3bc7 188->194 189->145 189->146 193->189 194->189
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2742181174.0000000008EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8eb0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: "Et$(=t$Ld>t$Ld>t$Ld>t$Ld>t$Ld>t$Ld>t
                                                          • API String ID: 0-3505296055
                                                          • Opcode ID: 46f81452478778c757bf1eeb5bd8ebdc6498263b8bc8b84b32862232444b3d00
                                                          • Instruction ID: c740a1b9dde7774f15593db2a009de02bd33e4b7ec019bc3d1f459a40b95b0a5
                                                          • Opcode Fuzzy Hash: 46f81452478778c757bf1eeb5bd8ebdc6498263b8bc8b84b32862232444b3d00
                                                          • Instruction Fuzzy Hash: 66A1A339B002049FCB08DBA8D855AAFB7F6AFC8311B158069D50ADB391DE34EC41CBA1

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 581 8bc7288-8bc7319 593 8bc731b-8bc731e 581->593 594 8bc7327-8bc7348 581->594 593->594 597 8bc7369-8bc7372 594->597 598 8bc734a-8bc7362 594->598 653 8bc7375 call 8bc791a 597->653 654 8bc7375 call 8bc7920 597->654 598->597 600 8bc737b-8bc73c3 607 8bc755f-8bc7615 600->607 608 8bc73c9-8bc73cd 600->608 642 8bc7617-8bc7653 607->642 609 8bc73df-8bc73fd 608->609 610 8bc73cf-8bc73dd 608->610 615 8bc73ff-8bc7416 609->615 616 8bc7442-8bc744e 609->616 610->609 614 8bc7454-8bc755a 610->614 614->642 622 8bc741f-8bc7440 615->622 623 8bc7418 615->623 616->607 616->614 622->616 623->622 653->600 654->600
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: "Et$"Et$^Et$^Et$^Et$CE
                                                          • API String ID: 0-3353202510
                                                          • Opcode ID: bb647e27c1523aed4a02bd8f61b3e2429af6ae5d93c41e16190808aa84c4509f
                                                          • Instruction ID: 2ccddf18b881c4e96b55a641ae9c790b1f31bd673d8127afda2d84d6a3cf61d4
                                                          • Opcode Fuzzy Hash: bb647e27c1523aed4a02bd8f61b3e2429af6ae5d93c41e16190808aa84c4509f
                                                          • Instruction Fuzzy Hash: 92B15E38B002059FEB04DFA5D854BAEB7A2EFC8300F148569E50AAB395DF75ED45CB90

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 655 8e7ac38-8e7ac52 657 8e7ac54-8e7ac62 655->657 658 8e7aca1-8e7acaf 655->658 661 8e7ac75-8e7ac7c 657->661 662 8e7ac64-8e7ac70 657->662 663 8e7acb1-8e7acbf 658->663 664 8e7ad0d-8e7ad1b 658->664 694 8e7ac7f call 8e765f1 661->694 695 8e7ac7f call 8e75eb0 661->695 696 8e7ac7f call 8e75e80 661->696 697 8e7ac7f call 8e760d0 661->697 698 8e7ac7f call 8e760a0 661->698 699 8e7ac7f call 8e76620 661->699 700 8e7ac7f call 8e75dff 661->700 701 8e7ac7f call 8e7662f 661->701 671 8e7ad62-8e7ad66 662->671 672 8e7acd7-8e7ace8 663->672 673 8e7acc1-8e7acc7 663->673 674 8e7ad52-8e7ad5a 664->674 675 8e7ad1d-8e7ad28 664->675 665 8e7ac82-8e7ac84 669 8e7ac86-8e7ac8c 665->669 670 8e7ac9c 665->670 676 8e7ac90-8e7ac92 669->676 677 8e7ac8e 669->677 670->671 682 8e7acea-8e7ad07 672->682 683 8e7ad09-8e7ad0b 672->683 678 8e7accb-8e7accd 673->678 679 8e7acc9 673->679 674->671 675->674 684 8e7ad2a-8e7ad30 675->684 676->670 677->670 678->672 679->672 682->683 683->671 692 8e7ad33 call 8e75ec0 684->692 693 8e7ad33 call 8e75f10 684->693 685 8e7ad36-8e7ad38 687 8e7ad50 685->687 688 8e7ad3a-8e7ad40 685->688 687->671 689 8e7ad44-8e7ad46 688->689 690 8e7ad42 688->690 689->687 690->687 692->685 693->685 694->665 695->665 696->665 697->665 698->665 699->665 700->665 701->665
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Ld>t$Ld>t$Ld>t$Ld>t$Ld>t$Ld>t
                                                          • API String ID: 0-64380967
                                                          • Opcode ID: 642ecdae2e8c451f83f57d7751bc5f88f09605eb1e0c5a3d771a8c340674ebcf
                                                          • Instruction ID: 9686b405df989360fcc89312311671464adcb10a6e6c1a94296dd140506d7069
                                                          • Opcode Fuzzy Hash: 642ecdae2e8c451f83f57d7751bc5f88f09605eb1e0c5a3d771a8c340674ebcf
                                                          • Instruction Fuzzy Hash: 0B31C736300120EFD7149F65D544A6E77EAAFC425B7295079D60ACB3A4DE31CC018B22

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1291 8bc727a-8bc7319 1303 8bc731b-8bc731e 1291->1303 1304 8bc7327-8bc7348 1291->1304 1303->1304 1307 8bc7369-8bc7372 1304->1307 1308 8bc734a-8bc7362 1304->1308 1363 8bc7375 call 8bc791a 1307->1363 1364 8bc7375 call 8bc7920 1307->1364 1308->1307 1310 8bc737b-8bc73c3 1317 8bc755f-8bc7615 1310->1317 1318 8bc73c9-8bc73cd 1310->1318 1352 8bc7617-8bc7653 1317->1352 1319 8bc73df-8bc73fd 1318->1319 1320 8bc73cf-8bc73dd 1318->1320 1325 8bc73ff-8bc7416 1319->1325 1326 8bc7442-8bc744e 1319->1326 1320->1319 1324 8bc7454-8bc755a 1320->1324 1324->1352 1332 8bc741f-8bc7440 1325->1332 1333 8bc7418 1325->1333 1326->1317 1326->1324 1332->1326 1333->1332 1363->1310 1364->1310
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: "Et$^Et$^Et$CE
                                                          • API String ID: 0-1919133321
                                                          • Opcode ID: 5ad1df85dbdda6a2514bfa0e9bb6e7cbfe9e54f1bc6b33ecf48cee7741e1be5e
                                                          • Instruction ID: 6d09e5e6f38f6be6e6b0ce2beda3a31092c41b132a9a7332f276fc77cd535e2e
                                                          • Opcode Fuzzy Hash: 5ad1df85dbdda6a2514bfa0e9bb6e7cbfe9e54f1bc6b33ecf48cee7741e1be5e
                                                          • Instruction Fuzzy Hash: 4A917D38B002059FEB04DFA9C854BAEB7A2EFC8300F108569D506AB395DF75ED56CB90

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1483 8bcc6ce-8bcc6dc 1484 8bcc6de-8bcc6e4 1483->1484 1485 8bcc6f4-8bcc704 1483->1485 1486 8bcc6e8-8bcc6f2 1484->1486 1487 8bcc6e6 1484->1487 1490 8bcc728-8bcc72b 1485->1490 1491 8bcc706-8bcc709 1485->1491 1486->1485 1487->1485 1492 8bcc72d-8bcc730 1490->1492 1493 8bcc710-8bcc725 1490->1493 1494 8bcc74a-8bcc751 1491->1494 1495 8bcc70b-8bcc70e 1491->1495 1496 8bcc762-8bcc7e0 call 8bcab48 1492->1496 1497 8bcc732-8bcc747 1492->1497 1516 8bcc753 call 8bcd600 1494->1516 1517 8bcc753 call 8bcd5f1 1494->1517 1495->1493 1495->1496 1510 8bcc7f8-8bcc808 1496->1510 1511 8bcc7e2-8bcc7e8 1496->1511 1499 8bcc759-8bcc75f 1512 8bcc7ec-8bcc7f6 1511->1512 1513 8bcc7ea 1511->1513 1512->1510 1513->1510 1516->1499 1517->1499
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 09>t$09>t$9>t
                                                          • API String ID: 0-1214051440
                                                          • Opcode ID: 7232aefbbe6653c66a4a2d651b672c38e32716ea2821ccf65c6771edc41521ca
                                                          • Instruction ID: 9987cb642fed47590f9734af0bdcb59c454b820ebc751fd7c2b00234fcbfd660
                                                          • Opcode Fuzzy Hash: 7232aefbbe6653c66a4a2d651b672c38e32716ea2821ccf65c6771edc41521ca
                                                          • Instruction Fuzzy Hash: FA31267AB001259F8B14DB58D0245BEBFA6EFD922271480AFE10DD7351CB30CD42CB92

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1518 8eb2400-8eb243d 1522 8eb243f-8eb2445 1518->1522 1523 8eb2455-8eb2491 1518->1523 1524 8eb2449-8eb244b 1522->1524 1525 8eb2447 1522->1525 1530 8eb2497-8eb24a7 1523->1530 1524->1523 1525->1523
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2742181174.0000000008EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8eb0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Ld>t$Ld>t$^Et
                                                          • API String ID: 0-2468748194
                                                          • Opcode ID: f208e5b11f584a98b6a3bc5acf4bd2c391344b04b40aa18f954ce732ce007d6a
                                                          • Instruction ID: 353e83830a91734e32a840cabe77032ddff77713db6245a2a3e712b80b50aa7b
                                                          • Opcode Fuzzy Hash: f208e5b11f584a98b6a3bc5acf4bd2c391344b04b40aa18f954ce732ce007d6a
                                                          • Instruction Fuzzy Hash: 13119E35B002248FCB44EF3988146BB7AF6AFC9611B2540A9D109DB3A1DE70DD068791

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1532 336d510-336d55e 1535 336d566-336d586 call 336d140 1532->1535 1536 336d560-336d563 1532->1536 1539 336d67c-336d786 1535->1539 1540 336d58c-336d59e call 336d14c 1535->1540 1536->1535 1568 336d797-336d7e5 IdentifyCodeAuthzLevelW 1539->1568 1569 336d788-336d794 1539->1569 1543 336d5a3-336d5a5 1540->1543 1544 336d5d6-336d5db 1543->1544 1545 336d5a7-336d5b1 1543->1545 1546 336d5dd-336d5f7 1544->1546 1547 336d5f9-336d61b call 336d158 1544->1547 1552 336d5b3-336d5b8 1545->1552 1553 336d5ba-336d5d4 1545->1553 1550 336d64b-336d653 call 336d164 1546->1550 1547->1550 1550->1539 1552->1553 1557 336d61d-336d644 1552->1557 1553->1550 1557->1550 1570 336d7e7-336d7ed 1568->1570 1571 336d7ee-336d837 1568->1571 1569->1568 1570->1571 1575 336d849-336d850 1571->1575 1576 336d839-336d83f 1571->1576 1577 336d867 1575->1577 1578 336d852-336d861 1575->1578 1576->1575 1580 336d868 1577->1580 1578->1577 1580->1580
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2682217352.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_3360000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 8W1
                                                          • API String ID: 0-2149257245
                                                          • Opcode ID: 64331a370f5a3c32a8111ded9b1ca3cf134282fb5123a1b71494ff260200c566
                                                          • Instruction ID: 71b2b206d063454d99402af2865cbb30d0bda8b0c0ac7b15ab426fcfc0640020
                                                          • Opcode Fuzzy Hash: 64331a370f5a3c32a8111ded9b1ca3cf134282fb5123a1b71494ff260200c566
                                                          • Instruction Fuzzy Hash: C4917D70A00359CFEB24DFA5C894BDDBBF5AF48304F0484AAD409AB654DBB55D89CF90

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1581 336e230-336e24f 1582 336e251-336e263 1581->1582 1583 336e2bc-336e2fd 1581->1583 1584 336e265 1582->1584 1585 336e26a-336e29f 1582->1585 1595 336e307-336e315 1583->1595 1596 336e2ff-336e305 1583->1596 1584->1585 1592 336e2a1 1585->1592 1593 336e2a9 1585->1593 1592->1593 1593->1583 1614 336e31a call 336e300 1595->1614 1615 336e31a call 336e3a0 1595->1615 1616 336e31a call 336e230 1595->1616 1617 336e31a call 336e21f 1595->1617 1618 336e31a call 336e2bb 1595->1618 1596->1595 1597 336e31f-336e333 1599 336e335-336e35d 1597->1599 1600 336e35e-336e3f4 1597->1600 1608 336e3f6-336e3f9 1600->1608 1609 336e3fc-336e437 CreateFileW 1600->1609 1608->1609 1610 336e440-336e45d 1609->1610 1611 336e439-336e43f 1609->1611 1611->1610 1614->1597 1615->1597 1616->1597 1617->1597 1618->1597
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2682217352.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_3360000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 8W1
                                                          • API String ID: 0-2149257245
                                                          • Opcode ID: ef37d71aa2d9701ef5173c9b2e8aec08781b7404dfb1c2c6709714813a9572df
                                                          • Instruction ID: 756b6d5bbe71be361247c7dddd02f49efddb95126501f243476d62c3415efb23
                                                          • Opcode Fuzzy Hash: ef37d71aa2d9701ef5173c9b2e8aec08781b7404dfb1c2c6709714813a9572df
                                                          • Instruction Fuzzy Hash: 3861EC75A042599FDB05DFA9C844B9EBBF1AF49310F18816AE405AB381CB749845CBA1
                                                          APIs
                                                          • IdentifyCodeAuthzLevelW.ADVAPI32(00000001,?,?,00000000), ref: 0336D7D2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2682217352.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_3360000_powershell.jbxd
                                                          Similarity
                                                          • API ID: AuthzCodeIdentifyLevel
                                                          • String ID: 8W1
                                                          • API String ID: 1431151113-2149257245
                                                          • Opcode ID: 261217136e412a5baabb56cac9f78623037c66ad86d0700730543930192fd6ab
                                                          • Instruction ID: 14c2ffbd26bf6d2cfe0f5e24750fc5cd9a8595eb6227e52e3d78999353dac3f1
                                                          • Opcode Fuzzy Hash: 261217136e412a5baabb56cac9f78623037c66ad86d0700730543930192fd6ab
                                                          • Instruction Fuzzy Hash: 9041F4B0901269DFEB24CF99C984BDDBBB4AB08304F1084EAD40DA7654D7759E89CF60
                                                          APIs
                                                          • SetThreadUILanguage.KERNELBASE ref: 08B47762
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734911284.0000000008B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b40000_powershell.jbxd
                                                          Similarity
                                                          • API ID: LanguageThread
                                                          • String ID: 8W1
                                                          • API String ID: 243849632-2149257245
                                                          • Opcode ID: 19c0e8af60f1f563e114862ac5ac68d6fd9462099d6670bbebe903d91065d41b
                                                          • Instruction ID: bef69d12cc51bfcc23fefcbb751f65c0bca7ad63628dfb105fbf7e799678465b
                                                          • Opcode Fuzzy Hash: 19c0e8af60f1f563e114862ac5ac68d6fd9462099d6670bbebe903d91065d41b
                                                          • Instruction Fuzzy Hash: B121C0B5805388CFCB11CFA9C4847EEBFF4EF0A210F24419AC488A7252C7749945CBA5
                                                          APIs
                                                          • CreateFileW.KERNELBASE(00000000,?,?,?,?,?,?), ref: 0336E42A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2682217352.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_3360000_powershell.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID: 8W1
                                                          • API String ID: 823142352-2149257245
                                                          • Opcode ID: e8b58d4f798cf59e7a082b3bccb39675e77b94fa1a87a355940943fb79961818
                                                          • Instruction ID: 89207e292e9f5c52c05d483f7d1d816b2d7dca37a910ac77cb3cd2106d06bcf9
                                                          • Opcode Fuzzy Hash: e8b58d4f798cf59e7a082b3bccb39675e77b94fa1a87a355940943fb79961818
                                                          • Instruction Fuzzy Hash: D2213AB6D00259DFCB11CF9AD984BDEFBB4FB48310F14812AE914A7210C375A955CFA5
                                                          APIs
                                                          • ComputeAccessTokenFromCodeAuthzLevel.ADVAPI32(?,00000000,?,?,?), ref: 0336D90E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2682217352.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_3360000_powershell.jbxd
                                                          Similarity
                                                          • API ID: AccessAuthzCodeComputeFromLevelToken
                                                          • String ID: 8W1
                                                          • API String ID: 132034935-2149257245
                                                          • Opcode ID: eaddb584b5a40bd873ef6b28e655ec1c3a455c2aef51b174b196dbcf4a25cbc7
                                                          • Instruction ID: 00a4136995de9806f7075ec2b4fa9f12703f658de6a8ddd994e49bf148a10096
                                                          • Opcode Fuzzy Hash: eaddb584b5a40bd873ef6b28e655ec1c3a455c2aef51b174b196dbcf4a25cbc7
                                                          • Instruction Fuzzy Hash: C32118B5900349DFCB10CF9AC884BDEFBF4EB48320F54842AE958A7250D379A945CFA1
                                                          APIs
                                                          • ComputeAccessTokenFromCodeAuthzLevel.ADVAPI32(?,00000000,?,?,?), ref: 0336D90E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2682217352.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_3360000_powershell.jbxd
                                                          Similarity
                                                          • API ID: AccessAuthzCodeComputeFromLevelToken
                                                          • String ID: 8W1
                                                          • API String ID: 132034935-2149257245
                                                          • Opcode ID: 003cf5ec296c55b8af525e77456e8a5f040fe1c7e62b052af241acd646b49f55
                                                          • Instruction ID: e8174a2d8d755d685a81fa5b849e7524e7ccbdfef60dbe2098089c0a9f0211e2
                                                          • Opcode Fuzzy Hash: 003cf5ec296c55b8af525e77456e8a5f040fe1c7e62b052af241acd646b49f55
                                                          • Instruction Fuzzy Hash: 202115B5900349DFCB10CF9AC884BDEBBF4EB48310F14842AE958A7250D378A955CFA1
                                                          APIs
                                                          • GetFileAttributesW.KERNELBASE(00000000), ref: 03365668
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2682217352.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_3360000_powershell.jbxd
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID: 8W1
                                                          • API String ID: 3188754299-2149257245
                                                          • Opcode ID: b7917f7069e6b198c2e0a0f50b708027cd7708a8f8a9f9f5fd6f930a218aaa78
                                                          • Instruction ID: d169aac43edcadc9599f588d123714f50aa17a37c6e0fb22db970550a32224c2
                                                          • Opcode Fuzzy Hash: b7917f7069e6b198c2e0a0f50b708027cd7708a8f8a9f9f5fd6f930a218aaa78
                                                          • Instruction Fuzzy Hash: 492144B5C0061ADFDB14CFAAD884B9EFBF4EB49320F14812AD819B7240D774A945CFA5
                                                          APIs
                                                          • GetFileAttributesW.KERNELBASE(00000000), ref: 03365668
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2682217352.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_3360000_powershell.jbxd
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID: 8W1
                                                          • API String ID: 3188754299-2149257245
                                                          • Opcode ID: 7dce5b610e6c0a5aea707e3cf7e1131cfc772fe9a63e5f9f2254ec3b1675edb8
                                                          • Instruction ID: 40ba4ce168847dfa3bb4fbacead957dd9133e28f90fa7d2a3cd52be40df49c06
                                                          • Opcode Fuzzy Hash: 7dce5b610e6c0a5aea707e3cf7e1131cfc772fe9a63e5f9f2254ec3b1675edb8
                                                          • Instruction Fuzzy Hash: 7D1144B5C006199FDB14CFAAD844BDEFBF4EB49320F14822AD818B3240C774A945CFA5
                                                          APIs
                                                          • SetThreadUILanguage.KERNELBASE ref: 08B47762
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734911284.0000000008B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b40000_powershell.jbxd
                                                          Similarity
                                                          • API ID: LanguageThread
                                                          • String ID: 8W1
                                                          • API String ID: 243849632-2149257245
                                                          • Opcode ID: 20a8a0c63f724b6e121fcde8695fc7d010b4e109c6045a7bc764d37c30a82101
                                                          • Instruction ID: c24a2d9c4dfb395c6619a4dd07c7105094f7569db4162ab6b981aadebf3e2e64
                                                          • Opcode Fuzzy Hash: 20a8a0c63f724b6e121fcde8695fc7d010b4e109c6045a7bc764d37c30a82101
                                                          • Instruction Fuzzy Hash: 6C1133B5800748CFDB10DF9AC485BEEFBF8EB48325F60846AD558A7250C778A945CFA4
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2682217352.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_3360000_powershell.jbxd
                                                          Similarity
                                                          • API ID: InfoSystem
                                                          • String ID: 8W1
                                                          • API String ID: 31276548-2149257245
                                                          • Opcode ID: f1da6d4254e84be6fcc1765890c58d3f5148f8d0dec88c280e316e61a5267f27
                                                          • Instruction ID: 78127cc609cb03f88100471c628a5cafe9a6f1ab3fdc756cad559bb6fe42e611
                                                          • Opcode Fuzzy Hash: f1da6d4254e84be6fcc1765890c58d3f5148f8d0dec88c280e316e61a5267f27
                                                          • Instruction Fuzzy Hash: 3A11FDB5C00659DFCB00DF9AD884BDEFBF4AB49220F10812AD818A7250C7B8A945CFA1
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2682217352.0000000003360000.00000040.00000800.00020000.00000000.sdmp, Offset: 03360000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_3360000_powershell.jbxd
                                                          Similarity
                                                          • API ID: InfoSystem
                                                          • String ID: 8W1
                                                          • API String ID: 31276548-2149257245
                                                          • Opcode ID: dc523d2f370b3c6a4398da7d37876824c0cc10602e081e64a6e8f505960ec0e6
                                                          • Instruction ID: 2e8d2a5fd73842bb18f78b513f23077a6a0b3d18cca088f6e241c0b70dabcc31
                                                          • Opcode Fuzzy Hash: dc523d2f370b3c6a4398da7d37876824c0cc10602e081e64a6e8f505960ec0e6
                                                          • Instruction Fuzzy Hash: E911DFB5D00659DFCB00DF9AD484BDEFBB4AB49214F10812AD818A7250C7B4A945CFA1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Y=t$Y=t
                                                          • API String ID: 0-1495259516
                                                          • Opcode ID: 999ae62c06e685b838269b1c212394c2b58dc6bd96251268bcbef42634d9ea03
                                                          • Instruction ID: 82668d8a125264e8e70147481b4e21bdf6b1505aec7282c0bc111559e9d53194
                                                          • Opcode Fuzzy Hash: 999ae62c06e685b838269b1c212394c2b58dc6bd96251268bcbef42634d9ea03
                                                          • Instruction Fuzzy Hash: E6221434A01705DFCB15DFA4C594AAEBBB2FF88311B14896CD44A9B361DB35EC46CB50
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ^Et$^Et
                                                          • API String ID: 0-947825624
                                                          • Opcode ID: 8372832a77f9aab56cc49b48dbb54338969e36b414385ebfa8844269ab2feee6
                                                          • Instruction ID: dd2d9c827531aa7db5f243d7e9413859896092356028bda168a9c041d1456ac4
                                                          • Opcode Fuzzy Hash: 8372832a77f9aab56cc49b48dbb54338969e36b414385ebfa8844269ab2feee6
                                                          • Instruction Fuzzy Hash: 6A027C70B00605DFDB15EFA4D890AAEB7F2EF88301F14856DD506AB395DB74E846CB90
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ^Et$^Et
                                                          • API String ID: 0-947825624
                                                          • Opcode ID: 4de88a31e1aae24f8e6c35ea56bd38808249cda620ec8e14420a1071b9b7b08b
                                                          • Instruction ID: 1b5acf269b1836213e732507118b1212ac0c6730d65498cd75e35d291b99ca01
                                                          • Opcode Fuzzy Hash: 4de88a31e1aae24f8e6c35ea56bd38808249cda620ec8e14420a1071b9b7b08b
                                                          • Instruction Fuzzy Hash: 96A14C35B00218DFDB14DFA4C894AAEBBB2FF88311F208569D506AB355DF359D46CB90
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (:>t$(:>t
                                                          • API String ID: 0-3444845171
                                                          • Opcode ID: 84ad37b19d295f2023b6f9f2a068e2f4ee7297b39b3a0dc194910fd7073c8838
                                                          • Instruction ID: 3f15fb855e59aab11e23b37a070c4b6e30e7294724fe0f08aef3a72ed076a654
                                                          • Opcode Fuzzy Hash: 84ad37b19d295f2023b6f9f2a068e2f4ee7297b39b3a0dc194910fd7073c8838
                                                          • Instruction Fuzzy Hash: CBA16A79B00215CFCB14DF65C4949AEBBF6FF8821172485ADE80A9B361DB31EC42CB90
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2731096452.0000000008480000.00000040.00000800.00020000.00000000.sdmp, Offset: 08480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8480000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0$8W1
                                                          • API String ID: 0-547807435
                                                          • Opcode ID: 33443350ae602fca1e0dfab73105e11d8259764f3a5b4b37e7549d767dafb643
                                                          • Instruction ID: 0d5ab702a23a0d060e9e4d5ca95969403132dd14e2ebff2afbcb6ed9cb57b9a7
                                                          • Opcode Fuzzy Hash: 33443350ae602fca1e0dfab73105e11d8259764f3a5b4b37e7549d767dafb643
                                                          • Instruction Fuzzy Hash: 4541AE75A00308DFDB11EFA5D8447DEBBF5EF89311F10442AD509AB380DB75A849CBA1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: "Et$^Et
                                                          • API String ID: 0-405827239
                                                          • Opcode ID: f5d640ca82c5b32d5a5a22d9303fbc3238df7d6e0457e6e5b55377f38cc8631f
                                                          • Instruction ID: 1292077115d48b6a682430361d6ad57a10c46da75cc429f87fe0c31be74ac877
                                                          • Opcode Fuzzy Hash: f5d640ca82c5b32d5a5a22d9303fbc3238df7d6e0457e6e5b55377f38cc8631f
                                                          • Instruction Fuzzy Hash: FA319A34B002169FDB00DBA9D854AAFBBA6EBC8200F108079D909DB395DE70DD068BA0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: "Et$^Et
                                                          • API String ID: 0-405827239
                                                          • Opcode ID: bd1a4310d98457ee7ee60d4ab4ed98ce643b6e3fe274e69f333bdd4fde228d11
                                                          • Instruction ID: ab1adda9d2f04f28d27d6a76ad29be40a0b9a2e2d372aa451b59b6e385383c15
                                                          • Opcode Fuzzy Hash: bd1a4310d98457ee7ee60d4ab4ed98ce643b6e3fe274e69f333bdd4fde228d11
                                                          • Instruction Fuzzy Hash: F9315A34B002169BDB04EBA9D854ABFB7E7EBC8310F108039E909DB395DE71DD468B91
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2742181174.0000000008EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8eb0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Ld>t$Ld>t
                                                          • API String ID: 0-1578203329
                                                          • Opcode ID: 33d48092c6d520a55cdbbc1b54839ed7a619643f402afe72d090d61753261507
                                                          • Instruction ID: acd20947e3575f433077670c293ad1205eda6ef9d4b6b1289c84d99fcecf0dd5
                                                          • Opcode Fuzzy Hash: 33d48092c6d520a55cdbbc1b54839ed7a619643f402afe72d090d61753261507
                                                          • Instruction Fuzzy Hash: B321F676B04215DFDF148FA1D850ABFBBBAEFC4221B18405DE94A97240DB31DC11CBA2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ;H$[I
                                                          • API String ID: 0-1589525708
                                                          • Opcode ID: 29dc90951c5f132017de61f2fbf74d818006fb49b8012331320810e622086ff7
                                                          • Instruction ID: 22aa562a6aa9d3db99ec3c62d975f6f84a541a562f38f03b13a4544df0a1c63b
                                                          • Opcode Fuzzy Hash: 29dc90951c5f132017de61f2fbf74d818006fb49b8012331320810e622086ff7
                                                          • Instruction Fuzzy Hash: AB117976200300DFC708DF99D94596AB7E2FF88215B10896DD40A8B362DF71EC06CBA0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Ld>t$Ld>t
                                                          • API String ID: 0-1578203329
                                                          • Opcode ID: af39ba83f6c901ff2d00b6041c52d93fbba31ad33c5b406c16873787717ad0cf
                                                          • Instruction ID: 8a7a920e284f3e115ced7b8503ea3e9ecc04f37d2b52143ce3f6c4b884486ad3
                                                          • Opcode Fuzzy Hash: af39ba83f6c901ff2d00b6041c52d93fbba31ad33c5b406c16873787717ad0cf
                                                          • Instruction Fuzzy Hash: FCF09036700220DFE714EB68D858A6A37E5EF8C35672100B9E509CB365DE22DC418BA2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Ld>t$Ld>t
                                                          • API String ID: 0-1578203329
                                                          • Opcode ID: eb47a7f2f9d1d02018f4855c22557f9f95ef0b62a6601ded96eb8d3647439884
                                                          • Instruction ID: 33b718ef5a88e87a6a2dc9e3471a2e728b6c81c7423d9d37583234b93456d001
                                                          • Opcode Fuzzy Hash: eb47a7f2f9d1d02018f4855c22557f9f95ef0b62a6601ded96eb8d3647439884
                                                          • Instruction Fuzzy Hash: D6E0E536740224DF8714DA69E444D2673A9AF8A66533590AAD409CB361DA33DD43CBE2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ^Et
                                                          • API String ID: 0-2134091200
                                                          • Opcode ID: 4997c1032d77504a205b354ec77e830e098cb328eb38a2da46024e282efdbdd6
                                                          • Instruction ID: 92e25948280ed507af297abb21193bc8d1dd34bc077ff1c8943f0465d2b203d1
                                                          • Opcode Fuzzy Hash: 4997c1032d77504a205b354ec77e830e098cb328eb38a2da46024e282efdbdd6
                                                          • Instruction Fuzzy Hash: 8CF14E35A00615CFCB08CF68C584AAEBBF2FF84315B65D5A9D505AB296CB31EC47CB90
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Y=t
                                                          • API String ID: 0-1974659538
                                                          • Opcode ID: c42bb5bea022db7b55d80931823cf76ba74962a1b0559177c25fd6ebec9e9d41
                                                          • Instruction ID: e6b8d641f35d6eced03ad4500e3f1375c19e62491a53b757119da601440937e1
                                                          • Opcode Fuzzy Hash: c42bb5bea022db7b55d80931823cf76ba74962a1b0559177c25fd6ebec9e9d41
                                                          • Instruction Fuzzy Hash: 74A11334A01705DFCB14DFA4C594AAEB7B2FF88311B1489ADD45A9B352DB35EC46CB40
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: d
                                                          • API String ID: 0-2564639436
                                                          • Opcode ID: 84d055f699575e93922a0aec967c9d264e7e786c93041db56fa7cc284c46f2b6
                                                          • Instruction ID: 0d85287ede368fa87abe61ff0e429ee17d5631b0066e7f50027842fc3680894f
                                                          • Opcode Fuzzy Hash: 84d055f699575e93922a0aec967c9d264e7e786c93041db56fa7cc284c46f2b6
                                                          • Instruction Fuzzy Hash: 7A919C38B04301CFDB15DB65C89066EBBB2EF88201B1885BED9459F396DB74DC45CBA0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: L@Et
                                                          • API String ID: 0-1517992764
                                                          • Opcode ID: 428fe5d9b6e31688af5946b753f55a427db7fad1ff404287066777470272a347
                                                          • Instruction ID: bb8008ab9340a83d4eaf1ce2a656a059ddcac5d712f9ef4709c39a8c1f4a753a
                                                          • Opcode Fuzzy Hash: 428fe5d9b6e31688af5946b753f55a427db7fad1ff404287066777470272a347
                                                          • Instruction Fuzzy Hash: 15514F30B04715DBDB248FA9C9847AEBBF5AF44702F1584ADE802AB395DB74DC41CBA0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ^Et
                                                          • API String ID: 0-2134091200
                                                          • Opcode ID: cbe305a8e12af30e4bb51f6a40a8a976d8766c16ac96f2bf7412042a88a888cc
                                                          • Instruction ID: 167608140128342a6debcdf60defd9ddc88617793e404e40b898351a032c248a
                                                          • Opcode Fuzzy Hash: cbe305a8e12af30e4bb51f6a40a8a976d8766c16ac96f2bf7412042a88a888cc
                                                          • Instruction Fuzzy Hash: 6B416D74B002099FDB14EBB8C850AAEB7B6EFC8201B5085ADD106AB354DF71ED46CBD5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: "Et
                                                          • API String ID: 0-64186490
                                                          • Opcode ID: ac7059691140526da7730414feac3d984ab993a088d568bbb4fe01c8a67c0880
                                                          • Instruction ID: 91950687b3345e52ccb7fef4712aecf136a72dcfcadee6a1c63835493f08e687
                                                          • Opcode Fuzzy Hash: ac7059691140526da7730414feac3d984ab993a088d568bbb4fe01c8a67c0880
                                                          • Instruction Fuzzy Hash: 19214179B002149FDB04EBA8D884AAFB7F6EFC8211F154079D509E7355DA34AD018BA1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ^Et
                                                          • API String ID: 0-2134091200
                                                          • Opcode ID: 7fab9ffb70e66adf170538854f0c7ecf741655c09150ccad647dd5eeb480feff
                                                          • Instruction ID: 843dcf49a2c226e7f42f2dd73996621bff035cc312c7204e41db161244c23ade
                                                          • Opcode Fuzzy Hash: 7fab9ffb70e66adf170538854f0c7ecf741655c09150ccad647dd5eeb480feff
                                                          • Instruction Fuzzy Hash: 4C21FE35B042008FDB14DBA4C890AAEBBB2EFC4301B14816DD606EF24ADB34DD05CBA5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2731096452.0000000008480000.00000040.00000800.00020000.00000000.sdmp, Offset: 08480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8480000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0
                                                          • API String ID: 0-4108050209
                                                          • Opcode ID: 12e17c0ffde10edee3dba5fe71898feec3dc3a06c4d4d7ce9bbbe48c05f5e75b
                                                          • Instruction ID: cae60969a23599dc483bfba7f24db81346edc761cafcd67bcf95bf5920741cec
                                                          • Opcode Fuzzy Hash: 12e17c0ffde10edee3dba5fe71898feec3dc3a06c4d4d7ce9bbbe48c05f5e75b
                                                          • Instruction Fuzzy Hash: 5D11D635A00304DBDB11EF71E8946DEBBB6EF84316F50442DD905AB380EB76D84ACB91
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 8W1
                                                          • API String ID: 0-2149257245
                                                          • Opcode ID: 83b701cf7749e056077d6d7d349c52898b27e2c9fd416790110d3fb6de31846b
                                                          • Instruction ID: 21baeb965abf726cfe947bfcc321cea4748b1d8f8c8192547c2f993889afe6e5
                                                          • Opcode Fuzzy Hash: 83b701cf7749e056077d6d7d349c52898b27e2c9fd416790110d3fb6de31846b
                                                          • Instruction Fuzzy Hash: 7521FCB5900649AFCB14DF9AD884BDEBBF4FB48310F50852AE918A7250D3B4A954CFA0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 8W1
                                                          • API String ID: 0-2149257245
                                                          • Opcode ID: 109ca9aa9101835f01e3d534f64d75b1ea34120deee989cd916fc53dc8236688
                                                          • Instruction ID: 5270d246253e8b4b84d21d309a365725fb52d8ddeabd4b74acb9653feb8c29e7
                                                          • Opcode Fuzzy Hash: 109ca9aa9101835f01e3d534f64d75b1ea34120deee989cd916fc53dc8236688
                                                          • Instruction Fuzzy Hash: 9721FDB59002499FCB14CFAAD884BDEBBF4FB48310F50852EE819A7250D3B4A944CFA0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: [I
                                                          • API String ID: 0-2994661687
                                                          • Opcode ID: 932d68c0cd959df87941cde8d2ca2200eb2a6cc76eea6d6b88578e372f9eed93
                                                          • Instruction ID: 35385e03eaa7ac2e1bb96ba127f1b69e2a9b13477bf03ace6b8d441674371696
                                                          • Opcode Fuzzy Hash: 932d68c0cd959df87941cde8d2ca2200eb2a6cc76eea6d6b88578e372f9eed93
                                                          • Instruction Fuzzy Hash: 88119A762042009FC309DFA8D94496ABBE2FF88215B1585ADD0498B362DB31EC07CBA0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734696090.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b30000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 8W1
                                                          • API String ID: 0-2149257245
                                                          • Opcode ID: 8c436df79782449d0a98d3c7b9cfcbcfa89ff1d2335b9efe35bbc3139e74173a
                                                          • Instruction ID: a187242f9b32a16162333aefce02d393b8195bdc462808fc4cfe286c17784064
                                                          • Opcode Fuzzy Hash: 8c436df79782449d0a98d3c7b9cfcbcfa89ff1d2335b9efe35bbc3139e74173a
                                                          • Instruction Fuzzy Hash: 302124B5C006599FCB14CF9AD440BEEFBF4EB48320F10826AD818A3250D378A945CFA1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734696090.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b30000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 8W1
                                                          • API String ID: 0-2149257245
                                                          • Opcode ID: 0a75de280197f8065533d470bb31196af78d32853270c8b9949072e47804f8c5
                                                          • Instruction ID: 9038ab7135b33e6472c9eb9854d69caece806f0be9bd3c724200e4d7c154f4dc
                                                          • Opcode Fuzzy Hash: 0a75de280197f8065533d470bb31196af78d32853270c8b9949072e47804f8c5
                                                          • Instruction Fuzzy Hash: EC2138B5C00619DFCB14CF9AD444BEEFBF4EB48310F10816AD818A3250D378A945CFA1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Ld>t
                                                          • API String ID: 0-2851468605
                                                          • Opcode ID: b823ad1e9f809e1409c856fdca31df936947c90143541f1bed67d55fdad5d5a3
                                                          • Instruction ID: 8be57fb27cc33d0e223c6af684ca3bd8b005624548bd72be1de0a73af770013b
                                                          • Opcode Fuzzy Hash: b823ad1e9f809e1409c856fdca31df936947c90143541f1bed67d55fdad5d5a3
                                                          • Instruction Fuzzy Hash: B4F0C23A7042509FE715DB68D854AAD3BE1AF8D396B1101B9E109CB3A1DA21DC41CB62
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Ld>t
                                                          • API String ID: 0-2851468605
                                                          • Opcode ID: 31081a20a3ac9d8afe3166d9d82a92e97b4268202d4afe41c738e429a494bcbd
                                                          • Instruction ID: 5be105a33c7537e7866ba1bebadcaa9c6b6b438105dd5b826f2b178e07aa6eaa
                                                          • Opcode Fuzzy Hash: 31081a20a3ac9d8afe3166d9d82a92e97b4268202d4afe41c738e429a494bcbd
                                                          • Instruction Fuzzy Hash: 24F0A932248210CFC712CA28E4408A57BA9AF4A22232A50EAC048CB372C223CC43CBA1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f682a068d14e052b363f6630f06a02ed43d8b9090376c8fc28dfa78fda29e93c
                                                          • Instruction ID: a90d164c64931fb79c37dbba0d93ca981030d149645425d05f3bb67cad0c9530
                                                          • Opcode Fuzzy Hash: f682a068d14e052b363f6630f06a02ed43d8b9090376c8fc28dfa78fda29e93c
                                                          • Instruction Fuzzy Hash: 33227D35A04255CFCB15EF68C484A6DBBB2FF89311F1685A9D84D9B362C730EC46CB91
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9f4de92ef4a0f6cc1e3b95c3260054a5cdc818c38e8bb0b73424d6be682293a7
                                                          • Instruction ID: aa994c06bbcb4d2330d881334767847585a7d54934ab7357cbf8e0a3d47eb829
                                                          • Opcode Fuzzy Hash: 9f4de92ef4a0f6cc1e3b95c3260054a5cdc818c38e8bb0b73424d6be682293a7
                                                          • Instruction Fuzzy Hash: F5321834A01208DFCB15DFA5D984B9DBBB2FF88301F148469E906AB765CB35EC46CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 72750a25ce49fb2cc1dd4b8ca48790be351473c50278256c09700ba8a501384f
                                                          • Instruction ID: 467468df54dfb7b30f88e327abb27b4b3756e2c44859065eacda7a73f5e97d8e
                                                          • Opcode Fuzzy Hash: 72750a25ce49fb2cc1dd4b8ca48790be351473c50278256c09700ba8a501384f
                                                          • Instruction Fuzzy Hash: 8B027E35A00214DFDB24EF64D444AADB7F2FF89325F109529E40AAB3A0DB75ED46CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2914903c5df99d182c2447c880e67c8ab4cab9bf92b4d8e937d16e7516c5b0ea
                                                          • Instruction ID: b234a1180f8414169efb1e6c98cecfd4c3639b230c503e3ace66234ae99b0319
                                                          • Opcode Fuzzy Hash: 2914903c5df99d182c2447c880e67c8ab4cab9bf92b4d8e937d16e7516c5b0ea
                                                          • Instruction Fuzzy Hash: B0E17C34B00245CFDB049FA4D844BAAB7F6AF88711F148039EA06EB792DB75DD42CB50
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7e676025f6e66aba604d01f808c549b6ed5bd311f1d945f641a3bbc4c4ca26eb
                                                          • Instruction ID: 89f79ac9627bc546fa28992f23b87057118c4545ef642d05efad6f5e4a46663e
                                                          • Opcode Fuzzy Hash: 7e676025f6e66aba604d01f808c549b6ed5bd311f1d945f641a3bbc4c4ca26eb
                                                          • Instruction Fuzzy Hash: C402D834A00208CFDB15DFA4D894A9DBBB6FF89301F248169E916AB762DB35EC41CF50
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a37c54c7f41ee5bc7baef0e5a1130dd38d14ad30146a1b850cab9b516798bfcb
                                                          • Instruction ID: 9d6c9e469344a69513e29f8f864b28bfb6ee73303424298b5bc83ffccb4c50e2
                                                          • Opcode Fuzzy Hash: a37c54c7f41ee5bc7baef0e5a1130dd38d14ad30146a1b850cab9b516798bfcb
                                                          • Instruction Fuzzy Hash: C2E17F71A00205DFDB15EF58C594AAEBBF2FF88315F1585A9D40AAB362CB35EC41CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5da74b17d31e28d98dc4c06bcad0dc33ab53116bd36cd86ee254a953d4eca8cc
                                                          • Instruction ID: fb379fb5a732993cbf7d7d79f0afedcdc27dbecb72beea76d6446d2be7fe8d54
                                                          • Opcode Fuzzy Hash: 5da74b17d31e28d98dc4c06bcad0dc33ab53116bd36cd86ee254a953d4eca8cc
                                                          • Instruction Fuzzy Hash: C3A1BC31749512DBCA495B6EB03917DBAA7EFD4622324448EE003DB396EF74CD039B86
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 30f2dc129045e3cfe95052d9688abb1f69e369dfaa05d7c81ad681eef7d898d7
                                                          • Instruction ID: 0b9f6028fb72b775fbae570dd57fab06b117c525bcb86fb90d43c5016c15aa61
                                                          • Opcode Fuzzy Hash: 30f2dc129045e3cfe95052d9688abb1f69e369dfaa05d7c81ad681eef7d898d7
                                                          • Instruction Fuzzy Hash: 9AB18B30A00209DFDB15EFA5E894BAEBBF6EF88301F10843DE516AB755DB749845CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1a2eb2b10890a277587f5ccccd7636039e3aceab70bc22bf173b97a876b6c623
                                                          • Instruction ID: 3679fe3e5c7a35c9edb398521173354fed756a61edefdbc353c09d0fc615fc35
                                                          • Opcode Fuzzy Hash: 1a2eb2b10890a277587f5ccccd7636039e3aceab70bc22bf173b97a876b6c623
                                                          • Instruction Fuzzy Hash: E0A19B3174A512DBCA495B6EB03957DBAA7EBD4622324408EF003D7396EF74CD039B85
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 106526a04608fd51696bcd0e84e62446c0e3fbecfbb3f1202ae7344bb9ecdf95
                                                          • Instruction ID: 6bae4ef1cffc5d9f5ce2e9cc46d210ddb1790570de92c22e57e4f6130e8122bb
                                                          • Opcode Fuzzy Hash: 106526a04608fd51696bcd0e84e62446c0e3fbecfbb3f1202ae7344bb9ecdf95
                                                          • Instruction Fuzzy Hash: 19C19870600705CFCB20DFA5D9A0A9EB7F6FF88211B00866CD4469B755DB70EA46CFA1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 05f4a20805b70840f1eb34e8fd5ad0f600fb997647ea477ee5a0c078c1c033fa
                                                          • Instruction ID: 714dfb0b2287005f67a07c80f2da17174ac13302fa7ec94897124e062c084387
                                                          • Opcode Fuzzy Hash: 05f4a20805b70840f1eb34e8fd5ad0f600fb997647ea477ee5a0c078c1c033fa
                                                          • Instruction Fuzzy Hash: 13A170347006059FDB09DFB9D8547AEB7E3AF88251B148079E906DB3A6DB78DC42CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bc6692990056c41c154917d2411b139d585223333f0560cf463fbb52bd92085f
                                                          • Instruction ID: e27b0fcc679935f93be586614424e21592d36aeaaacaa9436584ad9f83d0adf7
                                                          • Opcode Fuzzy Hash: bc6692990056c41c154917d2411b139d585223333f0560cf463fbb52bd92085f
                                                          • Instruction Fuzzy Hash: A2B15835B00209DFDB04DFA4C994BAEB7F2AF88314F109869D505AB395DB35EE46CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e0be2aecf500a5b19fd0ee65f0d199808b459fffe4f25bc57957247c7263582d
                                                          • Instruction ID: 50f6635555c1d19a7271663ac12c7ff307e24245e110272e946bae7c9a7423d6
                                                          • Opcode Fuzzy Hash: e0be2aecf500a5b19fd0ee65f0d199808b459fffe4f25bc57957247c7263582d
                                                          • Instruction Fuzzy Hash: 6CA1B234A00706DFCB14DFA5C9506AEB7F2EF89311F14812DE605AB352DB74AD8ACB50
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1c6ade0f909199050ef841580826b8e264ed7141097c7017d7c1f4a29b498367
                                                          • Instruction ID: 61301026a5da2ce7a05cb972011a5d76ce40dd0ea945a2f32607765e4277d034
                                                          • Opcode Fuzzy Hash: 1c6ade0f909199050ef841580826b8e264ed7141097c7017d7c1f4a29b498367
                                                          • Instruction Fuzzy Hash: 7691F035B003459BEB14DBB9D8447AFBBE6EFC8211F04846DD506EB381DFB598468B60
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734696090.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b30000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 19371ab88437c7ca1b037086cd6cea9f37b4bf4c5d63be00f7c08c617d7fb9c2
                                                          • Instruction ID: 1d14f7cfb9d14acea2b48a1e782bbcc18fc5fe6219a6b52490ff6b01adbc08ad
                                                          • Opcode Fuzzy Hash: 19371ab88437c7ca1b037086cd6cea9f37b4bf4c5d63be00f7c08c617d7fb9c2
                                                          • Instruction Fuzzy Hash: 9BA1AB34B003149FDB25DB75D844BAEBBB2EF88311F1484AED902AB391DB75D846CB54
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b10d69576b766de376a28421abe965ccbe56b3b730181d86f1d54410745697d0
                                                          • Instruction ID: 469d29609043463406b960ecfacdda5929ea69dab2ca465db273787ddf136b54
                                                          • Opcode Fuzzy Hash: b10d69576b766de376a28421abe965ccbe56b3b730181d86f1d54410745697d0
                                                          • Instruction Fuzzy Hash: C0B12935A00204DFDB14EBA5D594BAEBBF2EF88311F148468E509AB3A1DB75EC46CB50
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 67607be5d1c07a08bd2b8fe3ae17b7773387bdbfa7f34b7b455de1fc352476b5
                                                          • Instruction ID: a1923a7d410528d45f57890cf92464a8a44492d7e23ad7a5ddcbdb0ba04e96f6
                                                          • Opcode Fuzzy Hash: 67607be5d1c07a08bd2b8fe3ae17b7773387bdbfa7f34b7b455de1fc352476b5
                                                          • Instruction Fuzzy Hash: 96A15A35B00209DFDB04DFA4D994AAEB7F2AF88310F10D869D405AB395DB35EE46CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 67bc66f04038d662ef6d1bab728d1fd637c389b593ddcfa8e7d54692efd22131
                                                          • Instruction ID: 07b531a596c50bb1dc58a74ac85f9a89c2693770aa8d1a15e96f4ca54a6486aa
                                                          • Opcode Fuzzy Hash: 67bc66f04038d662ef6d1bab728d1fd637c389b593ddcfa8e7d54692efd22131
                                                          • Instruction Fuzzy Hash: 8CA17B32A0071ADFDB21DF25C844B9EB7B2EF86315F148199E41DAB211DB70AD86CF91
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7ac72d04543a8fbafd961b5cdb3eabb1d19b18ec29b5552d8a880a1adbca4df6
                                                          • Instruction ID: fa9f1596cd47616dcda9d14f661412f5c2911fb191aaf425aaec52aefd2bba2e
                                                          • Opcode Fuzzy Hash: 7ac72d04543a8fbafd961b5cdb3eabb1d19b18ec29b5552d8a880a1adbca4df6
                                                          • Instruction Fuzzy Hash: 3EA1E774A00219DFDB14DFA8D598AADBBB1FF49216F1041ADE406AB361CB35EC45CF60
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2742181174.0000000008EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8eb0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dedf926444563392482c34669c0e75c5b3c18bbddf2423f2a03216c8aa508c66
                                                          • Instruction ID: 50f31e14a4c3238f2325711dbe8ffb29335d391b33a9b9d12ff8af34d97e7b52
                                                          • Opcode Fuzzy Hash: dedf926444563392482c34669c0e75c5b3c18bbddf2423f2a03216c8aa508c66
                                                          • Instruction Fuzzy Hash: 7681D275700118EFDB199B25D8989FFBBABEFC8341B148019EA0697761CF34CD828B95
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8d3e4f4b7e809047744c536751b2ad07971665da0e52fbac52a9af7caab5a09a
                                                          • Instruction ID: e22e91a951f6f267c149c7010072cf0b4d0ecc2987da8bb72803d9a3871ab1f4
                                                          • Opcode Fuzzy Hash: 8d3e4f4b7e809047744c536751b2ad07971665da0e52fbac52a9af7caab5a09a
                                                          • Instruction Fuzzy Hash: F7A15C34A00209DFDB15DFA4C454BADBBB2FF44301F558468E50AAB796DB75AC82CF90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0537f45c69cef2c2b9c0f3251a691f863b6bac4b77d765a810cde115c67b971c
                                                          • Instruction ID: 3ceb11aab708e7300ccafc589a9368bfc39bf1ae96c02608a802ee43f54d9b67
                                                          • Opcode Fuzzy Hash: 0537f45c69cef2c2b9c0f3251a691f863b6bac4b77d765a810cde115c67b971c
                                                          • Instruction Fuzzy Hash: 0FA18874600705CFCB20DF65D9A0AAEBBF2FF88211B00856DD4469B365DB70EA46CFA1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4cecca950bff02123ce78437387c57139e900caea83b2bfe2cdee310fc665f6f
                                                          • Instruction ID: 722b322196f8ad8b8e8ef8589fa817b029c830ebbd72b7bc965fce3b09784b21
                                                          • Opcode Fuzzy Hash: 4cecca950bff02123ce78437387c57139e900caea83b2bfe2cdee310fc665f6f
                                                          • Instruction Fuzzy Hash: FB713531B043548FCB28CFA9D88077E7BB6EF95212B14847EE646EB653DB34D8468750
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2731096452.0000000008480000.00000040.00000800.00020000.00000000.sdmp, Offset: 08480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8480000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 62dc440100648ee1118545077611ffc8d06c4dd4360812891eec2fe075004b5e
                                                          • Instruction ID: 646b8e458c65701bccf12105f17307aa75d898c6864c1d31440b7c0620be87fe
                                                          • Opcode Fuzzy Hash: 62dc440100648ee1118545077611ffc8d06c4dd4360812891eec2fe075004b5e
                                                          • Instruction Fuzzy Hash: 58916C35A01215CFDB14EF65D858B9EB7B2FF88311F1581AAD50AAB390DB309D85CF60
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 823d181aaf7f98949aa0e0e86b931677f1f9d752091d5df99f8cad6c5509cd11
                                                          • Instruction ID: 98a2a49d033fa1d49e91d678fea111471e2bb04333ec1492b7a1dc0dbc74550c
                                                          • Opcode Fuzzy Hash: 823d181aaf7f98949aa0e0e86b931677f1f9d752091d5df99f8cad6c5509cd11
                                                          • Instruction Fuzzy Hash: 44A1F835A00609CFCB25EFA8C584A9DF7B1FF48311F21D699D959AB262DB30E985CF40
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f9fa2ad0d1930d39c3dbfde43497af3c50ce0be3cef498d0828a9020cdfa458c
                                                          • Instruction ID: 58aeb855c7d2a311eb6d58e688481b921cef102328d9c3d5e56d5ae3e14cd8af
                                                          • Opcode Fuzzy Hash: f9fa2ad0d1930d39c3dbfde43497af3c50ce0be3cef498d0828a9020cdfa458c
                                                          • Instruction Fuzzy Hash: F6813A35701204DFC704EBA5D858AAEBBF7FF88721F248069E506AB365CB759C42CB61
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0a58ef713cf847b30ba092c7c3acacc1a599c77695f5ca4b9876f0f60d9a3351
                                                          • Instruction ID: 4422977d15319317b8f4dc0f59ae74e8ddd1d25ebf91bc6b6f26eeb56023aba9
                                                          • Opcode Fuzzy Hash: 0a58ef713cf847b30ba092c7c3acacc1a599c77695f5ca4b9876f0f60d9a3351
                                                          • Instruction Fuzzy Hash: C9814834A01208DFDB19DFA5D858BAEBBB6FF88311F148429E906AB391DB349D41CF50
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6bc378cc2faa6349289a85f8a4bb639a24c42712f306de748058eda85659eb43
                                                          • Instruction ID: 15f74571e5c353443fc4c690bd1161541484bc43c64a835958993799c15270b5
                                                          • Opcode Fuzzy Hash: 6bc378cc2faa6349289a85f8a4bb639a24c42712f306de748058eda85659eb43
                                                          • Instruction Fuzzy Hash: 7091E434A00304CFDB24EFA4D498B6DBBB2EF48705F24856DE5169B7A2CB75AC45CB50
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4b7c5953c8fcd2e1ec5b687b74bc5ab664997836a36b12a78aad545e26f03234
                                                          • Instruction ID: 9e86a04b9464ac34312797a3e3f6e19d47ee7452ff5dad0c31224292e20734de
                                                          • Opcode Fuzzy Hash: 4b7c5953c8fcd2e1ec5b687b74bc5ab664997836a36b12a78aad545e26f03234
                                                          • Instruction Fuzzy Hash: 88617535B00214CFCB15DB68D58496EBBF2EF8921172480EEE40ACB362DB70EC46CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 48b1cb119e372291ddbaeeeb3b5d83403aca86e44e993c80bbd5b4c0e86b342a
                                                          • Instruction ID: 206de434db5971edd337b62491a889b8d0bbaca2be5a5bf3499a9b914b2c9a8d
                                                          • Opcode Fuzzy Hash: 48b1cb119e372291ddbaeeeb3b5d83403aca86e44e993c80bbd5b4c0e86b342a
                                                          • Instruction Fuzzy Hash: FA718D35A10209CFCF40EFA4C490AEDBBB2EF89315F259169D509AB351DB71ED86CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7e3d4ac011c44be2c16ac5eca67bdcee994fdbdc74f34bcd21c5a7b784722113
                                                          • Instruction ID: 16a04791420f49a79834a51911265e96aa562931f0b21e73369ef7701accd71f
                                                          • Opcode Fuzzy Hash: 7e3d4ac011c44be2c16ac5eca67bdcee994fdbdc74f34bcd21c5a7b784722113
                                                          • Instruction Fuzzy Hash: CE618235A00208DFCB05DFA9D944AAEBBF6FFCC215F149029E509AB361DB759C458B60
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b76eb4d44acc79c130f96e0eb0708db94337281fc899dd6809b7bcb43a48e3f8
                                                          • Instruction ID: ef5b07dee30842e42c1bb14b903b8f7e70e3b8751684c069770392ccdbe03d9a
                                                          • Opcode Fuzzy Hash: b76eb4d44acc79c130f96e0eb0708db94337281fc899dd6809b7bcb43a48e3f8
                                                          • Instruction Fuzzy Hash: 70815775A01205DFCB14EFA4D588A9DB7F2FF48315F2185A8E409AB362DB34ED45CB40
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 846f6ad6e58d2f5046948c4e6972318d541b0144ca90c477e440a385f1ad4543
                                                          • Instruction ID: b2670898ef8fc9815440a272972a58cb33cf025a2c596e6560e23d315112500d
                                                          • Opcode Fuzzy Hash: 846f6ad6e58d2f5046948c4e6972318d541b0144ca90c477e440a385f1ad4543
                                                          • Instruction Fuzzy Hash: C6613F34A00619CFDB54DBA5C558B9EB7B2EF84341F14C028E506AB796DBB49C46CF80
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b547cb5dc0ce64a16a419221b1c40a5b9b25cd2c351435b446716383d9ae7b1a
                                                          • Instruction ID: 7605c4bbfea7f4b8460596f0132a57d3bd312efe4ad91026964441d0c3de2166
                                                          • Opcode Fuzzy Hash: b547cb5dc0ce64a16a419221b1c40a5b9b25cd2c351435b446716383d9ae7b1a
                                                          • Instruction Fuzzy Hash: A361F970A00209DFDB14DFA5E958AADBBB5FF88311F14846DE406E72A1DF30AD45CB60
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0d6cc84104932a388f43938e7d1e18df8f0d9dd5f5472e37873e564b01e25eee
                                                          • Instruction ID: 784351ed6e7c3b16023d9f68d36b412a301afda7c69bf03b0ef887fd6e81e19c
                                                          • Opcode Fuzzy Hash: 0d6cc84104932a388f43938e7d1e18df8f0d9dd5f5472e37873e564b01e25eee
                                                          • Instruction Fuzzy Hash: 7A51C035A10204DFC715EB64D954A9EB7B7EF88315F14802AEA0ADB3D5CB31EC42CB91
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e4c09f69b05a02498697765b688dc69fb049bdd97256c54026d27c5a077e6447
                                                          • Instruction ID: fb9e04d81e259758db19e912cacc2ad646a899f8d2c9e5e66d4cdc2841de11f9
                                                          • Opcode Fuzzy Hash: e4c09f69b05a02498697765b688dc69fb049bdd97256c54026d27c5a077e6447
                                                          • Instruction Fuzzy Hash: 43514E34A00619CFDB54DFA5D558BAEB7B2EF84301F148028E506AB756DBB09C46CF90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e0bc9550172aee264353d1ac5d1c81eea455d7706f641e87fd5632f0981b323c
                                                          • Instruction ID: c24c79860f1a64fd7c037392f816c60b434d88dc6ebc1954e9e2cbfaf32c9be0
                                                          • Opcode Fuzzy Hash: e0bc9550172aee264353d1ac5d1c81eea455d7706f641e87fd5632f0981b323c
                                                          • Instruction Fuzzy Hash: C9716635D00399CFCB11DFA8C084ADDBBB1BF49315F155599E888BB3A1D770A989CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c5e1391a4d2bcb1abfcd5b77348ef6b8a20cfa3665a678ccddc11d8317d3f99e
                                                          • Instruction ID: f7b464d975e8326b901abfdde668956ebd441ae39a772a9651bd1bde40ceb723
                                                          • Opcode Fuzzy Hash: c5e1391a4d2bcb1abfcd5b77348ef6b8a20cfa3665a678ccddc11d8317d3f99e
                                                          • Instruction Fuzzy Hash: 8A517A35A0021ACFDB04EFA4C490AAEB7B2FF84205F109568C50AAF391DB74EC46CF90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735292272.0000000008B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b50000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d3d4ec60efce2d58f17e884db2489f54c78031dc50cef363d754b4a16d3287d6
                                                          • Instruction ID: 56c251f6400d4212f3612e030bcfdb68a3ec2b6504e850fb6c1245e20898256f
                                                          • Opcode Fuzzy Hash: d3d4ec60efce2d58f17e884db2489f54c78031dc50cef363d754b4a16d3287d6
                                                          • Instruction Fuzzy Hash: FF518C34A06344CFCB55DB78D8646E9BBF2EF8A212B0580AAD841EB352DB35DC45CF61
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2e3fc8bc8a76d8e92eeb6579427d369ddff04ebf3e0b5a0877816c789b244916
                                                          • Instruction ID: c81d78e7d6a126ae5b828c59bb3f484e9b9e05f5db4c8e4041f90c4ce11ccb45
                                                          • Opcode Fuzzy Hash: 2e3fc8bc8a76d8e92eeb6579427d369ddff04ebf3e0b5a0877816c789b244916
                                                          • Instruction Fuzzy Hash: 1951B577E01912CFEB61DB1CC4806BEB7E2EB86336B156269D866573D1C630DC42CB92
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cd98795bf1d62f43523b69ac7a95965df642e42e314c04de298ff5eba380e7a5
                                                          • Instruction ID: a900c9b27f135edd00cda8b2186c7ee735377a1989adaf2aa7c0a46488922b1c
                                                          • Opcode Fuzzy Hash: cd98795bf1d62f43523b69ac7a95965df642e42e314c04de298ff5eba380e7a5
                                                          • Instruction Fuzzy Hash: 0B51FA75A012158FCB04DF69D98899EBBF1FF88311B15C0A9E80AAB361DB70EC41CF60
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1100a4541c8b876f3d3981bd4d37591b9f196afd4795efe38e2e509615a4ad93
                                                          • Instruction ID: 069ad21956e0fe97ebd9734d6e1df5cddbdb458de52eeb5a2c4e14963109b3f0
                                                          • Opcode Fuzzy Hash: 1100a4541c8b876f3d3981bd4d37591b9f196afd4795efe38e2e509615a4ad93
                                                          • Instruction Fuzzy Hash: D9611635600244DFDB15EFA4C094A9EBBB2FF88316F1495A8D44A9F3A5CB35EC85CB50
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ab5f8aeabd1bfffbf2ee30bf8b1a7a6a7e5941050dbb668a3e3be40e606c823a
                                                          • Instruction ID: b273ace81b8d2b71342624bf189866fdb4bbd616cf89ac3fb466f6635ab42287
                                                          • Opcode Fuzzy Hash: ab5f8aeabd1bfffbf2ee30bf8b1a7a6a7e5941050dbb668a3e3be40e606c823a
                                                          • Instruction Fuzzy Hash: DA612831A00619CFCB44CF58C584AAEFBB2FF44315B65D6A9D509AB296C731F883CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735292272.0000000008B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b50000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ff5a853b0e879f3920f7d561a36d24632970e78afeacdf71ef9d7f521bceceb9
                                                          • Instruction ID: 6a4d837c97c07c7367415966726677b8117a07de9dbc79e5e5a2d756bd72d946
                                                          • Opcode Fuzzy Hash: ff5a853b0e879f3920f7d561a36d24632970e78afeacdf71ef9d7f521bceceb9
                                                          • Instruction Fuzzy Hash: 9D413535F053445BCB06AB7598183BEBF63EFC6602F0484A9E942DB3C2CF7488468B91
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e27fa96332ee22770f1dbb14130e8055c3408917422a1e1f052e692685f9a9e0
                                                          • Instruction ID: 2dae59ca77062c46671c37a5c8f9a2a9a2cb853b17a6b1da30a6190326757837
                                                          • Opcode Fuzzy Hash: e27fa96332ee22770f1dbb14130e8055c3408917422a1e1f052e692685f9a9e0
                                                          • Instruction Fuzzy Hash: EE511171204305CFD725EB70D89065EBBA2FF81205B109A6DD44A8BB92DF75F889CB91
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ce83b13f64400458a8169f46df0d1a2d60d6d1e136056e59c829b1761a059d26
                                                          • Instruction ID: d6b51770c171d00c7dc36d51febf91a016345e47ca0729d2014f5c4ddd21e11e
                                                          • Opcode Fuzzy Hash: ce83b13f64400458a8169f46df0d1a2d60d6d1e136056e59c829b1761a059d26
                                                          • Instruction Fuzzy Hash: 3B518A70A0060ADFDB15DF64C994AAEBBF2FF88300F14866DD446AB251DB70ED46CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c2d81264ff76e250b225b387918b24a1bd5735183cd9e7ef9baa2984c3b8540c
                                                          • Instruction ID: 2962a22655243ba6fb73113c3d1fbf2a292c8e7b94b7a27e189e32d6a1856870
                                                          • Opcode Fuzzy Hash: c2d81264ff76e250b225b387918b24a1bd5735183cd9e7ef9baa2984c3b8540c
                                                          • Instruction Fuzzy Hash: D3615335D00399CFCB11CFA8C084ACCBBB2BF09310F155589E858BB3A5E770A989CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a8d852b54fd47c1c5f65941040cce563b73586f8173a1d0d120afe81ae891e12
                                                          • Instruction ID: ef62fc701bbf9683a75fe57f5c69f37e5ec4e3c66676b740e41b6ddd0b9afe76
                                                          • Opcode Fuzzy Hash: a8d852b54fd47c1c5f65941040cce563b73586f8173a1d0d120afe81ae891e12
                                                          • Instruction Fuzzy Hash: ED512B34A00204CFDB04DFA5D548A9DBBF2EF88321F148569E906AB766DB70EC42CF60
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7bfa14f939a82669f4c39f202fe026299b8322fb5ee967fcd98488b80168bef9
                                                          • Instruction ID: df487aa681edbc668a2ab2b5e5637cfea4f00ccff04444831e1d0325bdec8a17
                                                          • Opcode Fuzzy Hash: 7bfa14f939a82669f4c39f202fe026299b8322fb5ee967fcd98488b80168bef9
                                                          • Instruction Fuzzy Hash: D8517D70E00706DBD719CF66C550A6ABBB2FF95201F1445AED8019B345EB74EC82CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 05849a6c4aa70a179b409c05fd5575ce58b8fa7522fc4d171250dfd4e96b1760
                                                          • Instruction ID: 3a60488971ca678f2873cbbeb49976c5a3b387c066db6c597d9506cf35754569
                                                          • Opcode Fuzzy Hash: 05849a6c4aa70a179b409c05fd5575ce58b8fa7522fc4d171250dfd4e96b1760
                                                          • Instruction Fuzzy Hash: B8411632A10319DFC714EFA9D8506AE7BE7EFC8211F148529E509DB341EE74DD4A87A0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 691852ee22b8124168aed742d2e1491b39095520e8b590e01a4d219237498443
                                                          • Instruction ID: 6988ddf9ef46360879aec056a088116327404caabb670d248fb5c7f6f0b9f70a
                                                          • Opcode Fuzzy Hash: 691852ee22b8124168aed742d2e1491b39095520e8b590e01a4d219237498443
                                                          • Instruction Fuzzy Hash: 93512934A00205CFDB14DFB9C440BAEBBF6AF88751F148079EA01AB381EB71D841CBA4
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734696090.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b30000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 26751f7d7004b9dd22438576a97ed54c0d72c7916626d85187b29557e718cfda
                                                          • Instruction ID: b7341799474e97018b4dd52895a92ca7ae2e216cb90f8726a26e91da706fa9ef
                                                          • Opcode Fuzzy Hash: 26751f7d7004b9dd22438576a97ed54c0d72c7916626d85187b29557e718cfda
                                                          • Instruction Fuzzy Hash: 25519E74201701ABD315EB75C850B6A77A3EF82321F10CA2DC1668F7C1CFB5E8958B95
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f2392eb0e7be4f189bf538a3d34f8e316c4dffc9652dd6efa602171deadfc302
                                                          • Instruction ID: c42cb817ef07a26fdf93264016ab8d2851cd3567c43216b86b00e14d73950dc6
                                                          • Opcode Fuzzy Hash: f2392eb0e7be4f189bf538a3d34f8e316c4dffc9652dd6efa602171deadfc302
                                                          • Instruction Fuzzy Hash: 40512334A00309DFCB24CF58C584B9ABBB2BF85301F5585ADE449AB295DB71ED89CF81
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735292272.0000000008B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b50000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 047dabb273852714043e16bb3adb1e4edd84033e87e8e45bc072adba7b1d12f2
                                                          • Instruction ID: 05a4f3f06dc9db434d4eb963a56d2fda252b6f2b0a304534ce6a38f33aa2ba97
                                                          • Opcode Fuzzy Hash: 047dabb273852714043e16bb3adb1e4edd84033e87e8e45bc072adba7b1d12f2
                                                          • Instruction Fuzzy Hash: 8A511534A01204CFCB58DB79D8586ADBBF2EF88352B1484A9DC06EB394DB75D842CF60
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735292272.0000000008B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b50000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6c6115e8d32ca6d8192ce7ffb38ae1dfb0890787afe7d1d4e9c5f199e9e82c76
                                                          • Instruction ID: 442e3b1dfc471b726bb21fe611f0d0f7f9c5f6f740aacc469657ba50718121f5
                                                          • Opcode Fuzzy Hash: 6c6115e8d32ca6d8192ce7ffb38ae1dfb0890787afe7d1d4e9c5f199e9e82c76
                                                          • Instruction Fuzzy Hash: F341D535A00618DBCB14DFB8D8446EDFBF2FFC9211F5081A9D901AB354DF7598468BA1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734696090.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b30000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 76b72e0959a68675ff2e0084d388af9d986de1a1b4cde3365a5921986f1c8796
                                                          • Instruction ID: 8c5793824cc74e74b95a3ae121cbd2ab5b4a7eb10578a7f2f433f20acf8ed086
                                                          • Opcode Fuzzy Hash: 76b72e0959a68675ff2e0084d388af9d986de1a1b4cde3365a5921986f1c8796
                                                          • Instruction Fuzzy Hash: 71416D74300701ABD315EB76C850B6AB7A3EB85321F50CA2DC1668F7C0DFB5E8958B95
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fced4bbfcdb8a2edf4d7cdf4cf911b02c786bea72b1d808e0bf58f90cd4d09d8
                                                          • Instruction ID: 4f5dfaa34a620e12d3ac4333f9a60ca388f23556c4a54f5c2171c774531ba8cb
                                                          • Opcode Fuzzy Hash: fced4bbfcdb8a2edf4d7cdf4cf911b02c786bea72b1d808e0bf58f90cd4d09d8
                                                          • Instruction Fuzzy Hash: 18516B70A0060ADFDB14DFA5C594AAEBBF2FF88300F14866DD405A7251DB70ED56CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 251a39de8696aec435fc759b4b184a730fbca7e46a502e163de3d1f7ffc8e3f3
                                                          • Instruction ID: 443786314dc7093d2a8aaf79d34f5b72bfe809ca6b1bf3cbb1494a9b6d67fe88
                                                          • Opcode Fuzzy Hash: 251a39de8696aec435fc759b4b184a730fbca7e46a502e163de3d1f7ffc8e3f3
                                                          • Instruction Fuzzy Hash: 4F41E036B003058FCB14DFA9E444AAEB7A2EFC4221F14C57ED1999B391DB71E9468B90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e25318846fef58c37b530aad3681ede13d6fe665bb8ab8d20719cebfca7cc671
                                                          • Instruction ID: 2e24f208dc98314ac25e80896eb8d85aca622d8022992536df61ff6be2fbc7fc
                                                          • Opcode Fuzzy Hash: e25318846fef58c37b530aad3681ede13d6fe665bb8ab8d20719cebfca7cc671
                                                          • Instruction Fuzzy Hash: CE412732704604CFDB06AB64A858A7E7BE6EFC9211B19402EE50EC7382DF34DC02C7A1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b729d3b030d41a9cd40ecd848fa53f002b22546aaaf64863ad9357125160cd5b
                                                          • Instruction ID: 80d1cd4a4d028cd58c032b4103943e3470bfb68fb1cb17a735531e325d1159b6
                                                          • Opcode Fuzzy Hash: b729d3b030d41a9cd40ecd848fa53f002b22546aaaf64863ad9357125160cd5b
                                                          • Instruction Fuzzy Hash: 2E41E1793016408FD725DB69D580A6F7BA2EFC9222B1884BED149CF362CE70DC49C761
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734696090.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b30000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: be0f6053b1cb7d1a4f810e0bedb60bb48eccc8bd6261bed03303880005259713
                                                          • Instruction ID: 79ddca42b636661ad58210f26835055da982aaf645ec83094b5eca38aa976641
                                                          • Opcode Fuzzy Hash: be0f6053b1cb7d1a4f810e0bedb60bb48eccc8bd6261bed03303880005259713
                                                          • Instruction Fuzzy Hash: 93413874E00228CFDB24DFA9C844AEDBBF1EF88312F1484A9D815B7390DB749945CB61
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 037b1e8e5286d830788ad6b8fd0734e137a3e5c0f4fa7cf2ffe31ba22e4296d7
                                                          • Instruction ID: e757f284e868c6d5e6fbd24ca89d5a59d9122949c29f3bbb4566430fd7ca1b54
                                                          • Opcode Fuzzy Hash: 037b1e8e5286d830788ad6b8fd0734e137a3e5c0f4fa7cf2ffe31ba22e4296d7
                                                          • Instruction Fuzzy Hash: CE41D035B10605AFCB14EB79E85069EB7E1EF88215F00C5ADE519DB381EB31E815CBA0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f64925c106eb7e80309bbf56e78368235f0821080f04604b334954c64c2f3e12
                                                          • Instruction ID: c0caf017664e5942afe306ba886cd042c0e519a01d2c5baf3b8d9fb61d571934
                                                          • Opcode Fuzzy Hash: f64925c106eb7e80309bbf56e78368235f0821080f04604b334954c64c2f3e12
                                                          • Instruction Fuzzy Hash: C44134307057148FC729DB34C89466ABFF2FF89201F0488BED5468B382DB35A849CB91
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c0ee164f88079804b131a12c031403a6f56b0cbc15d3d77ebcc86e81d8d95657
                                                          • Instruction ID: f1be34144c0f3243509853f443bd9752b34eebae907302580c2530b8b47e7033
                                                          • Opcode Fuzzy Hash: c0ee164f88079804b131a12c031403a6f56b0cbc15d3d77ebcc86e81d8d95657
                                                          • Instruction Fuzzy Hash: 0E410C75A00209CFDB04DFA8C584A9EB7F2BF88205F118598E809AB761DB71ED45CFA0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: eae664b3823894f8e89ee196104f8649c795cf8223d1a4f4cccd7ad047facab2
                                                          • Instruction ID: 384d88a587ba16a5d349a7d07415225193c18d9f08a5c2bf0ffb2818344fe669
                                                          • Opcode Fuzzy Hash: eae664b3823894f8e89ee196104f8649c795cf8223d1a4f4cccd7ad047facab2
                                                          • Instruction Fuzzy Hash: D9412978B00615CFCB14DF65C5949AAFBF2FF8821571585ADE80A9B361DB31EC41CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9ce974ceb6a3ed502271153b9f9845317311ebba50af01b14be7c7b44667c766
                                                          • Instruction ID: 6c149e6e4ada079f2fa1b91fe0a2b8c8a4e1eb8da4315b3c453eafdac53f1d3e
                                                          • Opcode Fuzzy Hash: 9ce974ceb6a3ed502271153b9f9845317311ebba50af01b14be7c7b44667c766
                                                          • Instruction Fuzzy Hash: B5411F31E05344CFEB11EB24D8847BEBFB2BB86216F0452ADD44D9B682CB74985AC791
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f99eeb5c3851f65b8ca56532f0d380d637e271e2639041bab63fc9e2df4d1972
                                                          • Instruction ID: 78362d4c21e7fe836ccad3ace4670d8f94741e2cc10dc1d91348cd8ec849d6d0
                                                          • Opcode Fuzzy Hash: f99eeb5c3851f65b8ca56532f0d380d637e271e2639041bab63fc9e2df4d1972
                                                          • Instruction Fuzzy Hash: 5E419E71204705CFD724EF70D890A6AB7A6FF84305B409A2CD44A8BB96DF75F889CB91
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 19f2721492f2fba447ce4875d2386638e87b980b9b196ab83d9de916de4fcccc
                                                          • Instruction ID: 9c9ab38942aa3d8ce68471d43abdf08f66c000fa5a60eead949568ba49f5247e
                                                          • Opcode Fuzzy Hash: 19f2721492f2fba447ce4875d2386638e87b980b9b196ab83d9de916de4fcccc
                                                          • Instruction Fuzzy Hash: 5341FD75A00209CFDB05DFA8D584A9EB7F2BF88315F118598E809AB361DB71ED44CFA0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5709b1121ab2cb9b4244c2968abb476ccf1e3f5874d821cadd76bc5cfa81173e
                                                          • Instruction ID: b92215d04cfa6da35eabf2885817a34c008df71d46ce0bbd174cf32adc7df0f4
                                                          • Opcode Fuzzy Hash: 5709b1121ab2cb9b4244c2968abb476ccf1e3f5874d821cadd76bc5cfa81173e
                                                          • Instruction Fuzzy Hash: 67319C32B00245CFCB55EB68D494AAEBBF2BF88210F249179D80ADB351CB71D805CB91
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d7e7e934db26eef9e417d6a52c3a17c91bc1a194c706a536272ddc9db29975ee
                                                          • Instruction ID: 122a83a8f1ddb3904471da8606922995ffd47067bcb947c8a8129e3d7fb1a52c
                                                          • Opcode Fuzzy Hash: d7e7e934db26eef9e417d6a52c3a17c91bc1a194c706a536272ddc9db29975ee
                                                          • Instruction Fuzzy Hash: 50416834A00619DFCB10EBA4C484AAEF3F2FF88215B408628C1599B751DB75FC5ACBA1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 05ac0048de4519230d895df3c7f5d363bb1fb74c2e712e7610cb7275a0559c56
                                                          • Instruction ID: 6da2cdde7fb585db2f726c74dab730624c4dd2d30daf0eb473696d3a94776a59
                                                          • Opcode Fuzzy Hash: 05ac0048de4519230d895df3c7f5d363bb1fb74c2e712e7610cb7275a0559c56
                                                          • Instruction Fuzzy Hash: 81316D797006118FC718DB69D59492EB7E6EFCC62231584AEE50ACB761CB31EC42CB51
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2731096452.0000000008480000.00000040.00000800.00020000.00000000.sdmp, Offset: 08480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8480000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3e1ef1b65025104f868171d46e37ea5e7ebd74baca4c4dd0c9bf332c7ea25c57
                                                          • Instruction ID: f8e6c9682a1905c28229161b373f7938160728ce6488d2ca3ad0734209d9ee63
                                                          • Opcode Fuzzy Hash: 3e1ef1b65025104f868171d46e37ea5e7ebd74baca4c4dd0c9bf332c7ea25c57
                                                          • Instruction Fuzzy Hash: 1C418E34D0120ADBDB15EBA0D450BAEB377FF84302F608569D505AB381DF39A989CF61
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 11f8998e4c26f8e2a67a787b846840c2ed579064351d9f7f4afbe37678a763d2
                                                          • Instruction ID: 3c4fcf653a86bfdf6c73e91be4688289e19fd2ab004e97d85d6e0069b3cf4a25
                                                          • Opcode Fuzzy Hash: 11f8998e4c26f8e2a67a787b846840c2ed579064351d9f7f4afbe37678a763d2
                                                          • Instruction Fuzzy Hash: 8331743178B250AFC7168E2AE45C5DD7FA29EFF52170C60AFD845CF362E6239A098741
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 64f5ffcf3e7fe09654b70cf05edc5d8a24c0233e3474ef1c32e12c04dff655e2
                                                          • Instruction ID: b72e3ce91ee920ad026ddee38c5f278ab698c22ecae8c08f2f3b407f304de4e3
                                                          • Opcode Fuzzy Hash: 64f5ffcf3e7fe09654b70cf05edc5d8a24c0233e3474ef1c32e12c04dff655e2
                                                          • Instruction Fuzzy Hash: 062196357001108FDB08AB79E8A4A7E73D6EFCD366B15007AE20ACB3A1DE25DC429751
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: efddbfb93d08adc0a78ff0e51ce2522613661f63e3ee8c982b3a03a04f18a3ef
                                                          • Instruction ID: a008e119d827af6d720e6fbc4e8669e865df5ef8f7b6eb1aaf7be8a369bfb08c
                                                          • Opcode Fuzzy Hash: efddbfb93d08adc0a78ff0e51ce2522613661f63e3ee8c982b3a03a04f18a3ef
                                                          • Instruction Fuzzy Hash: 81315A353087908FCB119B6888905AF7FB7DFC6215B148559E9868B3C6DE75D806C361
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2731096452.0000000008480000.00000040.00000800.00020000.00000000.sdmp, Offset: 08480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8480000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a2013cd564e9a1e3ecfe5a7b1c184adffa847a62fc719a37cae00c23f4f7f19e
                                                          • Instruction ID: c9d85cc4f8c12bcf6120b27942ef640011c8442e6d575b73453705217e79ddf6
                                                          • Opcode Fuzzy Hash: a2013cd564e9a1e3ecfe5a7b1c184adffa847a62fc719a37cae00c23f4f7f19e
                                                          • Instruction Fuzzy Hash: 9B31B276600619DFCB10EF75D89466E7BF1FF89292B21412AEA06DB301DB309D06CBA1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8710388a8986fde42a53b70fd06d21640e7925da9bd83da56cd9b39c53841994
                                                          • Instruction ID: ba63e2d8501e574e3eef173b53fe1f7a0783fdcc82aa4c3d2e66edc0be8a6d20
                                                          • Opcode Fuzzy Hash: 8710388a8986fde42a53b70fd06d21640e7925da9bd83da56cd9b39c53841994
                                                          • Instruction Fuzzy Hash: 9F31A036B002058FDB14EFA8D8956AEB7F6FFC8311B108469D95AD7345DF709C118B91
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a2c4918ddc2967254693a3b30d47722946944fe4418db4b6d4732c0dd618a3d7
                                                          • Instruction ID: 97d89446f2ac91e8e73adbe2b1d297a071e49467dcba653426e515dc6907ef27
                                                          • Opcode Fuzzy Hash: a2c4918ddc2967254693a3b30d47722946944fe4418db4b6d4732c0dd618a3d7
                                                          • Instruction Fuzzy Hash: 49315778B01305DFD708EFA4C4989AEBBB2FB88301B10856DD5569B391EB70EC45CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2731096452.0000000008480000.00000040.00000800.00020000.00000000.sdmp, Offset: 08480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8480000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3c1cab3fecd6fb427a97fd5a16bc54ee835ddb2281ab7a162f3163f65585343a
                                                          • Instruction ID: 87b522730fbbeb7aa403b51380111f690e2dfa51773420cf0620fd0d811fe563
                                                          • Opcode Fuzzy Hash: 3c1cab3fecd6fb427a97fd5a16bc54ee835ddb2281ab7a162f3163f65585343a
                                                          • Instruction Fuzzy Hash: BD31A275A00219CFCB10EFB5D99466E7BF1FB88392B21812EEA06D7301DB349D06CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0882e2b6d0037d2acd60fd0be42cded24a84ac40e3f58ef1d2a2c4e5ea94df16
                                                          • Instruction ID: 1268196ef3729670863bffb37da8e074a7ed22b91588b058a4cd0cbbcb9d098d
                                                          • Opcode Fuzzy Hash: 0882e2b6d0037d2acd60fd0be42cded24a84ac40e3f58ef1d2a2c4e5ea94df16
                                                          • Instruction Fuzzy Hash: E32179363003018BCB14AA29A8507AEBB9B9FC5231F58C53AD50ECB781DEB4CC4AC790
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 48b9301997e73231c5d6f5353de0ff692040f984fae2559d60f2708c0a8f190c
                                                          • Instruction ID: 48535e0ef29f10f9125da0254d7bcea7602074058fc661df1af18ff05d501c07
                                                          • Opcode Fuzzy Hash: 48b9301997e73231c5d6f5353de0ff692040f984fae2559d60f2708c0a8f190c
                                                          • Instruction Fuzzy Hash: 1D311E74B04209DFCF54CFA9C480AAAB7F2EF99211B18C0ADD519EB305D731E956CBA0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dc1008db176d83ce1f08d578e424b4b354d024ebc248f320ee9565678a461e0e
                                                          • Instruction ID: e20458b3d337da471740fdddc91fae898f2c6e550e599f07a2139dc7d40011a2
                                                          • Opcode Fuzzy Hash: dc1008db176d83ce1f08d578e424b4b354d024ebc248f320ee9565678a461e0e
                                                          • Instruction Fuzzy Hash: 7A317A35704600CBD329DF20E844BAB73A2BF80356F988068D6164F6D9DF39EC82CB60
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 940bd216f25d2ac9824643e022b33bee631d9729d2c7bb982203bc0959f5fb75
                                                          • Instruction ID: e2c57a9bf984c7b680cd4a6c6373a8e859cc44e7a6c635adc6979cb20ffa9740
                                                          • Opcode Fuzzy Hash: 940bd216f25d2ac9824643e022b33bee631d9729d2c7bb982203bc0959f5fb75
                                                          • Instruction Fuzzy Hash: EC316F74A043458FCB05DB65D858AAEBBF2EF85301F1484A9E546DB392CB749841CB61
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 83b524315962e67824f9bca06a7ae080a72b569d2f1d00f403d2131f5deaab2e
                                                          • Instruction ID: 92b85aeb3fd7dfeb472944ce4510635ac86a84b96b45bc01447491966c1c6a96
                                                          • Opcode Fuzzy Hash: 83b524315962e67824f9bca06a7ae080a72b569d2f1d00f403d2131f5deaab2e
                                                          • Instruction Fuzzy Hash: C7319C39A10204DFC705EFA8D5849CEB7B7EB88315F109429EA09AB394CB71EC45CBA0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ba1ca09e15207caaeb4b6dde3e97c651dbdf545ebe79e83502d37ccef784bd5d
                                                          • Instruction ID: ba12b659eeb024d15c5ef23924dd89ed51f5ae4fa39b936dcf9720366273879d
                                                          • Opcode Fuzzy Hash: ba1ca09e15207caaeb4b6dde3e97c651dbdf545ebe79e83502d37ccef784bd5d
                                                          • Instruction Fuzzy Hash: EA31CD75B017119FD705DBB4D8A0A2EBBA2FFC825071486A9D406CB355DF30DC02CBA1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fb2143b3ee88efa216835eb2c0231631744e1f78d92165fac7772289f510f523
                                                          • Instruction ID: 489f2890c464d8f2f599c14667ffa8489dcf82f318fd1fd404383c793eb97792
                                                          • Opcode Fuzzy Hash: fb2143b3ee88efa216835eb2c0231631744e1f78d92165fac7772289f510f523
                                                          • Instruction Fuzzy Hash: 0231AC30A00605CBDB14DBB9D5547AEB7B6EF88242F04C43DD902AB686DF75D905CBA0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6c825edbb4efa2d5c2f7e39cb92f7d322a66ca3f10fe1a7578d0b35d00d71176
                                                          • Instruction ID: 86e76a68db3193c709fe851f9bab051149a89e082825d40ed1428a6d4f639dcd
                                                          • Opcode Fuzzy Hash: 6c825edbb4efa2d5c2f7e39cb92f7d322a66ca3f10fe1a7578d0b35d00d71176
                                                          • Instruction Fuzzy Hash: 82316D74A04205DFCF54CFA9C480AAABBF2FF99211F18C0ADD559AB205D731E846CBA0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aff2ab79f01d38a8e7b1f5560f6b851a66700bb4aba58a420dff84bde048b099
                                                          • Instruction ID: 1a3ea089c101e3c06ca114d8c0ca9e7e0e81273fa06c2b2e429eded4cc3f473a
                                                          • Opcode Fuzzy Hash: aff2ab79f01d38a8e7b1f5560f6b851a66700bb4aba58a420dff84bde048b099
                                                          • Instruction Fuzzy Hash: 4D318D767017119FD708DBA4D894A2EB7A6FFC82507508668E806CB354EF31EC52CBE1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ce96d96d7d4edd0cd87b3988ab6cdc30c4ca6063105f1b33fe6955f0ae5ca209
                                                          • Instruction ID: 8bedcfad11a309a4f36aa7901f70cd5c8bbd47575650ff7fb8d2e0dbed8c7b15
                                                          • Opcode Fuzzy Hash: ce96d96d7d4edd0cd87b3988ab6cdc30c4ca6063105f1b33fe6955f0ae5ca209
                                                          • Instruction Fuzzy Hash: 2921476584E3C01EDB239338A8646843F740E53016F5E41DFC0D1CF8A7C449541ADBB7
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0e9cebf31952f0bad88080b0ab569697e6fd84cd7c5d7d9024d73784063a8247
                                                          • Instruction ID: 2534d065530056fb1a857bb8b80e6cc6479a6a39ba983a8efa03f7702f645cbc
                                                          • Opcode Fuzzy Hash: 0e9cebf31952f0bad88080b0ab569697e6fd84cd7c5d7d9024d73784063a8247
                                                          • Instruction Fuzzy Hash: F2314D34B002058FCB14DB69D458BAEBBF6FF88302F14846DE94AA7395CB759852CB61
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f14c59a8a8e605f9d6cabf9387ee2682d9931fb5c1a55eb7e22b95085373d11e
                                                          • Instruction ID: 3507bb919a4aec385b69615e973cb80a7c2b11f914465314dc4fa4930358bd8e
                                                          • Opcode Fuzzy Hash: f14c59a8a8e605f9d6cabf9387ee2682d9931fb5c1a55eb7e22b95085373d11e
                                                          • Instruction Fuzzy Hash: 2F319C35300315DBC705EF64E894A5A73A2FFC8215B008A38E50A9B3A5DF75ECA5CBA1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7e7c7d962b8f9b965273114cfac6f5a558c5f5aa658d3c8df7f9ec6b7017a3c8
                                                          • Instruction ID: e00496ba11ac1fac6a72055340483d310e2637b90c7b81cc60d1a77e415f2581
                                                          • Opcode Fuzzy Hash: 7e7c7d962b8f9b965273114cfac6f5a558c5f5aa658d3c8df7f9ec6b7017a3c8
                                                          • Instruction Fuzzy Hash: DB21A175700A008FD7289B69C599A7E7BA7EB89222B1844AEE006CB3A5CE71DC81C751
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 849319069e7a76abfa9dbaf8abd25805c36f53220452661b18b090635661bdb0
                                                          • Instruction ID: adc8e60d0c76b0764d85cfe2ceb7cfa169246ef9e84eeb8b3c41b0e6a24cb97d
                                                          • Opcode Fuzzy Hash: 849319069e7a76abfa9dbaf8abd25805c36f53220452661b18b090635661bdb0
                                                          • Instruction Fuzzy Hash: 4131A674A00309CFDB15DFA4C498AADBBB2BF49316F648469E5069B762DB35EC81CF40
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 667bf0ee5c535def653dade858ba08acb7a1d429b16d7ea4ff70377cd3a798b2
                                                          • Instruction ID: fce2bceb76a6627af8e2f513220086dd9efa57b7c5912666110323df561c4f32
                                                          • Opcode Fuzzy Hash: 667bf0ee5c535def653dade858ba08acb7a1d429b16d7ea4ff70377cd3a798b2
                                                          • Instruction Fuzzy Hash: 6531B135A40245CFCB55EF68D494AAEBBF2BF88201F249169D80AAB351DB71D805CB51
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734696090.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b30000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 54d952137788ee3759d349634897a2d12fe934c23efc4a43ec6b9ba5a73f4bf6
                                                          • Instruction ID: fdc77aa40ca3aadfad10c152ffa45ee9ff7d78c4564ae47c26cd5d227b8c5331
                                                          • Opcode Fuzzy Hash: 54d952137788ee3759d349634897a2d12fe934c23efc4a43ec6b9ba5a73f4bf6
                                                          • Instruction Fuzzy Hash: FA312D38B10628DFDB25DBA8D894D9DB7B2FF48216B158099E406AB361CB31EC42CB51
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734696090.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b30000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3b763ba6767380215324ffd87d18db8fb0263fb923fcc32ff94e57cf0109d879
                                                          • Instruction ID: fdc77aa40ca3aadfad10c152ffa45ee9ff7d78c4564ae47c26cd5d227b8c5331
                                                          • Opcode Fuzzy Hash: 3b763ba6767380215324ffd87d18db8fb0263fb923fcc32ff94e57cf0109d879
                                                          • Instruction Fuzzy Hash: FA312D38B10628DFDB25DBA8D894D9DB7B2FF48216B158099E406AB361CB31EC42CB51
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 22fa668dcff0ca892cb4318a2a9781e11d4de91bb6f2d7de45a07c34b715d3dd
                                                          • Instruction ID: b65893ed25261133683c9cb3488c94f27aaf70966efe4cb04e5ce4a256b06192
                                                          • Opcode Fuzzy Hash: 22fa668dcff0ca892cb4318a2a9781e11d4de91bb6f2d7de45a07c34b715d3dd
                                                          • Instruction Fuzzy Hash: 6B31DA30A102449FDB21DFA4E858ADEBBF5FF89701F14817DE506AB652CB749844CBA0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 09de256fd2c4277002e11f027d3aa48e9b4a46c1dce7a724892450bb155f87a9
                                                          • Instruction ID: c8b5bc5ad3ba904f2cd178abd4e1e6e728ec03dfa85c3ad645ceeb2671e1cc70
                                                          • Opcode Fuzzy Hash: 09de256fd2c4277002e11f027d3aa48e9b4a46c1dce7a724892450bb155f87a9
                                                          • Instruction Fuzzy Hash: 1F1139A284E3C08ED71353B8A8292887F705E07126F2E15DFC4C4DF5A7D465091AC7B3
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b0f881c163d52c661e8b6fdb9bd1656992a3ee7804ce1944ffc6739c90e1f7b2
                                                          • Instruction ID: 16643bd2e5fbc7ed5a496ec86d7e29eb8719162e9a275fb375e5c5c1468bb325
                                                          • Opcode Fuzzy Hash: b0f881c163d52c661e8b6fdb9bd1656992a3ee7804ce1944ffc6739c90e1f7b2
                                                          • Instruction Fuzzy Hash: A421DDBA7043519FCB148F79885066ABBB2AF8821571445BED806CB351DE35D801CBA0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734696090.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b30000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f06aa9ca96e7eb6808a02622e8f9aec3afec71ad7946a75d20a9a3bf84374389
                                                          • Instruction ID: 3fd69ff02e811dd8b42da7d186174af72fe39c55f0170b93279f0f38774e5be8
                                                          • Opcode Fuzzy Hash: f06aa9ca96e7eb6808a02622e8f9aec3afec71ad7946a75d20a9a3bf84374389
                                                          • Instruction Fuzzy Hash: 02313C38B10628DFDF25DBA8D894D9DB7F2FF48216B158099E406AB361CB31EC42CB51
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f363bb825ff0c076096952f9eec2e36d7168083af84389728e553dc39624a8e9
                                                          • Instruction ID: 94369a6fd09595d12dd2ef07ba29108dbd85dfa317581307c32d61adaa64f786
                                                          • Opcode Fuzzy Hash: f363bb825ff0c076096952f9eec2e36d7168083af84389728e553dc39624a8e9
                                                          • Instruction Fuzzy Hash: A721EA38B01701EBD715AB70D8147AE7B72EFC4712F14806DE506AB392CB719C16CBA1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f5e4c9d6af87378cf78a4928ac65f8cfe8797eb1e40ec9e0e7d8527c0e054551
                                                          • Instruction ID: ee854ca9fc83015b58dea711e793432bc29c323f285a383a897301087e4dbed1
                                                          • Opcode Fuzzy Hash: f5e4c9d6af87378cf78a4928ac65f8cfe8797eb1e40ec9e0e7d8527c0e054551
                                                          • Instruction Fuzzy Hash: ED215176B005108FD715DB5DD99896ABBE6FF84226B15C0AEEC06DB365DB30DC01CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 732b83938e34a2b153f8c158b29a31fb759cb4f16b35bf0f504af638445d1f43
                                                          • Instruction ID: c515e03506c7a9c0e2277f15c2fe98ef012ca9f3a772070bd107502f29d8842f
                                                          • Opcode Fuzzy Hash: 732b83938e34a2b153f8c158b29a31fb759cb4f16b35bf0f504af638445d1f43
                                                          • Instruction Fuzzy Hash: 1021ABB67047219FD728DF79D89066AB7F6AFC8225B10457ED9058B390DF31E801CBA0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d9004f382985c09367fa9e0772ea3a78b39293a71372a415be54b305f1134bd2
                                                          • Instruction ID: 4a2ca26db862f362afd9f5f59e4c5733220f450bee73505b18e4c4e25e042192
                                                          • Opcode Fuzzy Hash: d9004f382985c09367fa9e0772ea3a78b39293a71372a415be54b305f1134bd2
                                                          • Instruction Fuzzy Hash: 952162797006118FC754DF58D89882AB7F6FFC862671185ADE51AD7361DB70EC02CB60
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 39d866c38a5d205928c17839a5157c515606bbb24782670b5883457a113e9a07
                                                          • Instruction ID: d515cbb2cd0883c96719ab38cbad34c9d34f44a0543df20f3d5938b97bc180b0
                                                          • Opcode Fuzzy Hash: 39d866c38a5d205928c17839a5157c515606bbb24782670b5883457a113e9a07
                                                          • Instruction Fuzzy Hash: 76215071E00109CBDF14EFA9E458BEEBBB5EB88312F148039E616A7651DB315845CF60
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 014de62fdefda1d5c635242dd1d0d62a168b425c871776b73491a17a004f43e2
                                                          • Instruction ID: 12157d405dd93aa87d398e31e3a6a12c8d6489079c072a3f16caa7514a9e50a1
                                                          • Opcode Fuzzy Hash: 014de62fdefda1d5c635242dd1d0d62a168b425c871776b73491a17a004f43e2
                                                          • Instruction Fuzzy Hash: 5A215976B003018FDB14EFA8D899AAEBBF2FFC8211B108469D956DB345DF709C158B91
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bbd31843d80857cafe03ee634ad4b41c2d40a3e13d644d9a9f8a82c27a43dda2
                                                          • Instruction ID: 816a1b17c30897fb94f27720849c328d6d017f583e7a4433b603aabb854f6a01
                                                          • Opcode Fuzzy Hash: bbd31843d80857cafe03ee634ad4b41c2d40a3e13d644d9a9f8a82c27a43dda2
                                                          • Instruction Fuzzy Hash: F0212C7AF40625CFCB14DF68D9849AEB7B5FF892657114168E9159B321CB30EC02CBD0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5552284fb2775411ae42e67c9510b19fbeff37bd0eee104c0238e9a8c752b4d6
                                                          • Instruction ID: 9e5bbfb19afefb34c1b68e0f795ae316fee440987938461934a3c4b7aaf99bdb
                                                          • Opcode Fuzzy Hash: 5552284fb2775411ae42e67c9510b19fbeff37bd0eee104c0238e9a8c752b4d6
                                                          • Instruction Fuzzy Hash: 1621CC31B143998FDB25DB24DC44BE9BBB5EF8A311F0041B9C41697382DB309986CB81
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a61b82e3a7e1b47efb30b752ccc61a744cc96d99e5505afbad9436840f71d168
                                                          • Instruction ID: b1af2d3c186005ebc277929548bb1b563fee6026f1ffa0e19d6b12c1c27ce8eb
                                                          • Opcode Fuzzy Hash: a61b82e3a7e1b47efb30b752ccc61a744cc96d99e5505afbad9436840f71d168
                                                          • Instruction Fuzzy Hash: 7F212431A053589FCB11CBB988407ADBBF4AF45222F0841FAE949C7A52D738DE45C7A1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cac68933f2d1beaf092d4cb099420f254f5136e66d82b1cc26245a5da407ec0c
                                                          • Instruction ID: bfe3a28b95d921eef6f11d38795cc28f8bdfa34edfb94ba741a988a007be52ee
                                                          • Opcode Fuzzy Hash: cac68933f2d1beaf092d4cb099420f254f5136e66d82b1cc26245a5da407ec0c
                                                          • Instruction Fuzzy Hash: 20314A35A00214CFDB14DFA9E458BDEBBF1EF48715F048069E50AEB7A1DB75A840CBA0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 36d15133043693b7461f2ee7e078dda177b0549ce7eae1b16f5c7405669891c0
                                                          • Instruction ID: bb7a27f615f49d87fb32135878ceadc8975cf6a1c69a349832bc9df623d75f0e
                                                          • Opcode Fuzzy Hash: 36d15133043693b7461f2ee7e078dda177b0549ce7eae1b16f5c7405669891c0
                                                          • Instruction Fuzzy Hash: 6C214C36700219DBDB14DF69D454AAEFBF6FB88221F148529D80A9B341DB71ED42CBD0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c9ddfe0ce524be1822e8f601777862647353f1ed7b67410b3ea54b26fc2750f9
                                                          • Instruction ID: 3a9ebf7f5516d9f1d1cc241deab012f40f8aa3fe715ea4a6de7132c4bc4760a9
                                                          • Opcode Fuzzy Hash: c9ddfe0ce524be1822e8f601777862647353f1ed7b67410b3ea54b26fc2750f9
                                                          • Instruction Fuzzy Hash: E11160A2A4E3E04FE763472894A57917FE09F57221F1F80EBD4C8CB293D9440C89C7A2
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 688c82d1871e9420d7671189a098930df105ac8de07b7bccffc7f888177939a1
                                                          • Instruction ID: 1d49550c0dd0e0f7e4b0567d557df3d5ba8667ca125511afaf607ed23ccd742a
                                                          • Opcode Fuzzy Hash: 688c82d1871e9420d7671189a098930df105ac8de07b7bccffc7f888177939a1
                                                          • Instruction Fuzzy Hash: 8821D036B012149FCB14DF69C84069EFBF1EF88211B1582AAD848EB311DB30DC45CBA1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ceb6fa4dcec5e898bde588a9b5068f5b5683bec5a3b68d31833cc185dcaba295
                                                          • Instruction ID: beb24431b15cb53d42272bd4cccce263811dd3b3af6bc3179c220fa1ba62f388
                                                          • Opcode Fuzzy Hash: ceb6fa4dcec5e898bde588a9b5068f5b5683bec5a3b68d31833cc185dcaba295
                                                          • Instruction Fuzzy Hash: 4F318D75D0530ACFEB14DFB4C9083EEBAF1BF8870AF14586CC416BA281DBB954458BA5
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2731096452.0000000008480000.00000040.00000800.00020000.00000000.sdmp, Offset: 08480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8480000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 930257490d60625a11a9ccaa3c0ce8faa0ae62555bfbc85993ae356b9dd2079d
                                                          • Instruction ID: 5db56235bb1415cbd91c6b091b6912929ca3c63f9fce6cc803ecf3c8874fa0f6
                                                          • Opcode Fuzzy Hash: 930257490d60625a11a9ccaa3c0ce8faa0ae62555bfbc85993ae356b9dd2079d
                                                          • Instruction Fuzzy Hash: 3121D334E1120ADBEB15EBA0D860BAE7373FF81202F504479C105AB680DF7959498FA2
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 268b709b1ad2bf736299cfb348e50588dfe7cbdfed1a0743a89ffa27e8e9cc2e
                                                          • Instruction ID: 71bf1f71d1a47f13ef0b62b4c1e5bd4e25540488f18b346f6dee1d2e8909dceb
                                                          • Opcode Fuzzy Hash: 268b709b1ad2bf736299cfb348e50588dfe7cbdfed1a0743a89ffa27e8e9cc2e
                                                          • Instruction Fuzzy Hash: 0B213832504744DFD712AB24C450B6DBFA2AF81219F1D90AEC18E8F292DB75DC0ACB92
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 036ec53f6eb78e90e1f2c4e937221fc236e3a832d718acba2a2265eb72637ccf
                                                          • Instruction ID: 9b96fc7ba772de90ff9c93c095ed16008ac02da3e0ad0e54aab05b497cf9069f
                                                          • Opcode Fuzzy Hash: 036ec53f6eb78e90e1f2c4e937221fc236e3a832d718acba2a2265eb72637ccf
                                                          • Instruction Fuzzy Hash: CB314D78A41218CFDB14DF58C594AAC7BB1EF49626F154299D406AB362C735EC81CB60
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8f3c2394f81ad88d5eafa8d15e2af2711927996273e126fdd76c6db39df21aa0
                                                          • Instruction ID: e9a14e2de90db5fc4faf8dc07c0e7c4c2d7a3c5e77b9386a46cc653884f7c3d0
                                                          • Opcode Fuzzy Hash: 8f3c2394f81ad88d5eafa8d15e2af2711927996273e126fdd76c6db39df21aa0
                                                          • Instruction Fuzzy Hash: F421C3327043148FDB15EB68E88466EBBA6EFC4255B04846EE805CB345DF75DC0187A1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4ec68bd39da40073a84437a7a3541e9ebf145ff17ef3add4e3cc38af532d50b2
                                                          • Instruction ID: d47006cb1d639d3d8c89973cab4cbbba47bf4e966eb1dc55a67c6f7720c667fb
                                                          • Opcode Fuzzy Hash: 4ec68bd39da40073a84437a7a3541e9ebf145ff17ef3add4e3cc38af532d50b2
                                                          • Instruction Fuzzy Hash: 0B11BC2110E7C29FC3135338A8646897F35AA03116F0D81DFC0C5EF4ABDA29840AD7A7
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2742181174.0000000008EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8eb0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 420b6e2fe3726f912cba64be1789e7f3e94a4a3c2de55571f59c645a975293f4
                                                          • Instruction ID: eb9bf37e26d834c95dbfaf31bc66f0d218182655577e6054bc79183f39f2f0dd
                                                          • Opcode Fuzzy Hash: 420b6e2fe3726f912cba64be1789e7f3e94a4a3c2de55571f59c645a975293f4
                                                          • Instruction Fuzzy Hash: 4B21AE76700215AFD704CFA59814ABB37ABFFC9251B244429F955DB381CFB1DC528BA0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c60d6fdc6381737a2c999a3f6c5a92cb0572124f815899c734134ab3ded4775a
                                                          • Instruction ID: ca59b6429fff3406377138f54b7877167d1a9ac1b8f018a7b23a873f902cea01
                                                          • Opcode Fuzzy Hash: c60d6fdc6381737a2c999a3f6c5a92cb0572124f815899c734134ab3ded4775a
                                                          • Instruction Fuzzy Hash: D4212C34A00214CFDB14DF68E598A9D7BF1EF49315F1580A9E546EB7A1CB75AC40CBA0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ea576e189ba4e3fe5f07cc22b6095c4f168751fcb1cfb49fc6b3352030df2c1b
                                                          • Instruction ID: 4b8f8820b70f48fb30c972e4c046cc7d04e732934d5af37bda66ba83a7000611
                                                          • Opcode Fuzzy Hash: ea576e189ba4e3fe5f07cc22b6095c4f168751fcb1cfb49fc6b3352030df2c1b
                                                          • Instruction Fuzzy Hash: A721A575B0020A9FCB00EBA9D8509AEBBB5FF84311B108129E915EB342DB75D91587A1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 36b0fbaf68cdb980368654a18813199fe2129a4a08ffec19e1bd6d0bc933df21
                                                          • Instruction ID: 4a192ee1989f599b9f72028103dda53910f17758e92d2f7b4249ab0988ea7d3d
                                                          • Opcode Fuzzy Hash: 36b0fbaf68cdb980368654a18813199fe2129a4a08ffec19e1bd6d0bc933df21
                                                          • Instruction Fuzzy Hash: B7117CB67407209FC714EF59E8C4D6AB7F9FF88216B204169E90687361DB71EC02CB60
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ff8a393bb7339a71abe292c1c3776ffd0ca959056ac761dc2fa85c319970cfcd
                                                          • Instruction ID: eea9e41e070bb93af30273c2dd965103e4a4a39222e298470b2e1d10df9634e4
                                                          • Opcode Fuzzy Hash: ff8a393bb7339a71abe292c1c3776ffd0ca959056ac761dc2fa85c319970cfcd
                                                          • Instruction Fuzzy Hash: C4312A78A41218CFDB14DFA8C584AADB7B1FF4C626F15429CD806BB362C735E881CB60
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8d1292635ae15427cc8426d3c883246f4d1bca00c7d9f227ae7af458ae79ccf0
                                                          • Instruction ID: ba583920ad0f5b000b0760bf0e0842584b6f4afb2cbebb421b23accd2ec28542
                                                          • Opcode Fuzzy Hash: 8d1292635ae15427cc8426d3c883246f4d1bca00c7d9f227ae7af458ae79ccf0
                                                          • Instruction Fuzzy Hash: F0115B7AB446258FC714EF59E8C4C2AB3F9FF8861A7104469E51AC7361EB71EC02CB58
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c7ee368601c6731cc2b2b2dcc90acf850f6e5f1c2f7675315742379405252cdd
                                                          • Instruction ID: c1a9818cf69b8ebbcbb29499825430277f58360e09561e4252d32fd560eba5b4
                                                          • Opcode Fuzzy Hash: c7ee368601c6731cc2b2b2dcc90acf850f6e5f1c2f7675315742379405252cdd
                                                          • Instruction Fuzzy Hash: 3421C071F012599BEB05DB64C840BEEBBB2EF89205F144129D515FB384DB799D02CBA4
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7e8358fce8a99544be4d92300447cf889ed61f09b9fb6c85610d2177dd4eaeda
                                                          • Instruction ID: 96bfa893a477c162da4dfecbca960878c5f4890740e6a9a6858461347553f2d6
                                                          • Opcode Fuzzy Hash: 7e8358fce8a99544be4d92300447cf889ed61f09b9fb6c85610d2177dd4eaeda
                                                          • Instruction Fuzzy Hash: B821E170B45750ABE721D7649C10BAEBF22EB81B01F24015DEA056F3C2C7B16C12C7A1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d4d1031725f2c06fb2107c77d3740a44416dc738c62fd286806f4e401ef4bb08
                                                          • Instruction ID: 399df7f7c59cc8cb37a887cb79855352ab5468bd8a7a984f0867b6772ee5eb7c
                                                          • Opcode Fuzzy Hash: d4d1031725f2c06fb2107c77d3740a44416dc738c62fd286806f4e401ef4bb08
                                                          • Instruction Fuzzy Hash: FC110375B10704AFCB14EB79D94059EBBE6EF88210B00C56DD149DB381EF31E8598BA0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1322958212a06450bbd2f410e456cfca84d65f7cff34d888f7c85a1a560128b2
                                                          • Instruction ID: 778bb3038ed650d62a4a4a647566e34e27c6441e7279ed0f32e45bef3826cfc6
                                                          • Opcode Fuzzy Hash: 1322958212a06450bbd2f410e456cfca84d65f7cff34d888f7c85a1a560128b2
                                                          • Instruction Fuzzy Hash: FF215E30A00B01CFDB25DBA4D9587AEB7B1AF44707F14C57DE512ABA96DB349801CFA4
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 30b8bac4ad0391880bdc7bc8954bcffa41642866e1dd42ca31123c4886f61856
                                                          • Instruction ID: 4cafac96d6ebcb55df5aa57ee89b7b76cb3fb8813dc4d86c942dc43d86162c50
                                                          • Opcode Fuzzy Hash: 30b8bac4ad0391880bdc7bc8954bcffa41642866e1dd42ca31123c4886f61856
                                                          • Instruction Fuzzy Hash: B921F534A00215CFDB19DFA8C554A5DB7B2FF89306F2080A9E50ADB762DB35AC81CF90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2c3a1f048a34166a249572f329eeb43df10532f6a1ea7537e2579244d3b53261
                                                          • Instruction ID: f0ec0aec2064f34ece115f3ae70eef452d95359f3d730429b1d1419dc3a16dbf
                                                          • Opcode Fuzzy Hash: 2c3a1f048a34166a249572f329eeb43df10532f6a1ea7537e2579244d3b53261
                                                          • Instruction Fuzzy Hash: 8E012FA644E3C04ECB2317B55C69AC83FB05E2311AB1E42DBC496CF6B3C51A190ADB72
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 64ac202deaf10b374711874eb0debc276bc0fc2003c5ff3d3d54699d8cd7cfd2
                                                          • Instruction ID: 99418f4ebc3577fcf8cd7090c77e3ea505e6223860c66afd17c1845d701ba985
                                                          • Opcode Fuzzy Hash: 64ac202deaf10b374711874eb0debc276bc0fc2003c5ff3d3d54699d8cd7cfd2
                                                          • Instruction Fuzzy Hash: F611AC72F002599BEB0ADB64C840BEEBBF6AF89305F144129D506BB284DF759D41CBA4
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ecddc8421818f2610d5c602b06864ac9c2705d792df317a249844812fe4401ef
                                                          • Instruction ID: baade9d8ad1cce42c96db60c60f36743548932cc8f5b683e243491d6d5948f7c
                                                          • Opcode Fuzzy Hash: ecddc8421818f2610d5c602b06864ac9c2705d792df317a249844812fe4401ef
                                                          • Instruction Fuzzy Hash: B6118932A10218CFDB14EB98C940BEDBBF2AF8C211F205069D508B7350DB75AD45CBA0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6c1343eeb47117841469b361df73f7c96115c870192c8a547e9da347f16bed31
                                                          • Instruction ID: fd7b5fa8d43f1bf5fcd2cc3f1254118cb1418b53a14a3233db4c958441c398e2
                                                          • Opcode Fuzzy Hash: 6c1343eeb47117841469b361df73f7c96115c870192c8a547e9da347f16bed31
                                                          • Instruction Fuzzy Hash: E211E1357043149FCB24AB359850A7F7BFAFFC6616B14852ED2468B782DB75E8028B60
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dc6a07c337dd416ceb002ccf88639c9d963372011f93f3e0bd917dd1d1264f50
                                                          • Instruction ID: 48d6f037b63f309e0d5721ed217fc6bafb5a7d60f49d4e3a5bb47e013df79709
                                                          • Opcode Fuzzy Hash: dc6a07c337dd416ceb002ccf88639c9d963372011f93f3e0bd917dd1d1264f50
                                                          • Instruction Fuzzy Hash: 9201562554E3C15ED7136338E8646867FA08A97116F4E94EFC0C8CF5A7C6298819C3A7
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 02dbc93ddf179f3819fbcf868e53833fe0fd793be6a20a5d1893b0b338b0b3e4
                                                          • Instruction ID: de3dc4db19f3b1928ef39a2df42ad9b248eeb5d24cfa7651e947a27a8d047169
                                                          • Opcode Fuzzy Hash: 02dbc93ddf179f3819fbcf868e53833fe0fd793be6a20a5d1893b0b338b0b3e4
                                                          • Instruction Fuzzy Hash: ED11BE32A40218CFEB14EB94CD40BEDBBF2AF8C301F205069D448BB690DB75AD45CBA0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 410573cc33df8aff81f20c3d97e30bf1b4ebad7733c5100da2232fd777bfa2b3
                                                          • Instruction ID: 0d79ee3616d56de0b287ba3813f4ebf4ef410159374b1d37fd7f9d03fc9f9143
                                                          • Opcode Fuzzy Hash: 410573cc33df8aff81f20c3d97e30bf1b4ebad7733c5100da2232fd777bfa2b3
                                                          • Instruction Fuzzy Hash: D111E0382042409FE704DBA4D890AAFB7A6EFC5250B1085ADD0098F3A2CE71AD09CB91
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734696090.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b30000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 76ed6527c2df41cb7daa95a5c6d3ff5ded71791b7638ad949a9132680913c459
                                                          • Instruction ID: 55affe52bf7fd07198cf4b1e7cf9c876704a90bd029069a7d0785945da3e4c5c
                                                          • Opcode Fuzzy Hash: 76ed6527c2df41cb7daa95a5c6d3ff5ded71791b7638ad949a9132680913c459
                                                          • Instruction Fuzzy Hash: 182189359002598FCB14DFB8C940AEEBBF1EF88311F1485A9C509EB310DB35A945CFA1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ecaf49104ae6ec11a7ebedfaef998dbbd721ec23e51f1926d21317c79a67cf21
                                                          • Instruction ID: 29c9168abebf1627017f7fc500e3a49d30ac6a5eaea17ce2582880b1faed8e59
                                                          • Opcode Fuzzy Hash: ecaf49104ae6ec11a7ebedfaef998dbbd721ec23e51f1926d21317c79a67cf21
                                                          • Instruction Fuzzy Hash: 8E11A1757086158FC710DB5AE88886AB7FAFF8C22671044ADE506D7362DB31EC02CB60
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e840a65411de1ca5e02a217c3e5d2e7a4d351ae9320c5cfa929a12580c219529
                                                          • Instruction ID: 5e76848e4084d79f2242a33b29194d96cf83f024262a38ebc967c8ce977f9c61
                                                          • Opcode Fuzzy Hash: e840a65411de1ca5e02a217c3e5d2e7a4d351ae9320c5cfa929a12580c219529
                                                          • Instruction Fuzzy Hash: FD11BE32A40218CFEB14EB94CD40BEDBBF2AF8C301F205069D448B7690DB756D45CBA0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c1be67a6efc29aa6f84eaf4bc0da69f365bf2520779c03cf32ad124cc470a550
                                                          • Instruction ID: 613d210f49a334d5739a68fc3b50ac40f1b35d23ea947484f44e750520889a53
                                                          • Opcode Fuzzy Hash: c1be67a6efc29aa6f84eaf4bc0da69f365bf2520779c03cf32ad124cc470a550
                                                          • Instruction Fuzzy Hash: 6411023294D3E49FCB139B64CC504557FB4AE5B21131A45EBD848CF6A3C2249C09CBA2
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fdb85c97487413d8bca82cb408853f40304c6dec87a8bfc082108e84c103b026
                                                          • Instruction ID: c3a44320d473bf71a6c7539a5b70e99e78f59ab63b8bc37b4d8e49154713a246
                                                          • Opcode Fuzzy Hash: fdb85c97487413d8bca82cb408853f40304c6dec87a8bfc082108e84c103b026
                                                          • Instruction Fuzzy Hash: A1110235300712EFD721DB69D8506ABB7A1FF85622F00857ED5469B240EF70E84287A1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bcf3a3ce6d6b0969a660c138a611ec81504f5ac3d53946655f9e87b7af578b15
                                                          • Instruction ID: a64feb82fc6df747af3c3afb332f0c5f01682f277b8b3347d8487f8a4c76adfe
                                                          • Opcode Fuzzy Hash: bcf3a3ce6d6b0969a660c138a611ec81504f5ac3d53946655f9e87b7af578b15
                                                          • Instruction Fuzzy Hash: 1B115E716082958FCB159F24D85C69E7FB1FF49211F1584AED042EB2A6CB749805CBA2
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dfa849022dd63cb4da841711c5ccfaac7d4bc6d074e914ab395ff38bc81c542f
                                                          • Instruction ID: 7ac07370abd826095b1fe35389a78f78fb01b247c0e98f4bd5fe59ea3c6f8b77
                                                          • Opcode Fuzzy Hash: dfa849022dd63cb4da841711c5ccfaac7d4bc6d074e914ab395ff38bc81c542f
                                                          • Instruction Fuzzy Hash: E4117079B042045FCB04EB68D894AAF7BF6EFCD211F150079D509EB396DA34DD028BA1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ac382acf11148a7fb114e4ad938e2d0b1d07c40c525c896e6d8160abe64e3807
                                                          • Instruction ID: c2acecee7b3865ae6e54aed72a57838b0c0e4a93e107097e77569cb07a482b6c
                                                          • Opcode Fuzzy Hash: ac382acf11148a7fb114e4ad938e2d0b1d07c40c525c896e6d8160abe64e3807
                                                          • Instruction Fuzzy Hash: E6119131A00608CFEB20DFA5D8007EEB7F5EF84216F00896ED44997640DB74AA49CBE5
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734696090.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b30000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0ba1347dcb8cac14d5d27aa5d7a2fb56c1b670ac7bff4ae2addf081f1885937c
                                                          • Instruction ID: e31e07603ad66583e02343ac6bcdf158894b46d2f73f995d6b0a62e67e0594f6
                                                          • Opcode Fuzzy Hash: 0ba1347dcb8cac14d5d27aa5d7a2fb56c1b670ac7bff4ae2addf081f1885937c
                                                          • Instruction Fuzzy Hash: 7701D4327157348BEB308AB9D4807A273D8DB40366F0844FAE84DCB791DA69EC8197C0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c1dbf6c4d1d214d4d82efe31d8c4d84d03d7c9703ac7b696c7b2fb2d58dcb241
                                                          • Instruction ID: fb76aba7084a02fc55e18ba31d5e3955f198b70cf6fab6bec5c519612975af75
                                                          • Opcode Fuzzy Hash: c1dbf6c4d1d214d4d82efe31d8c4d84d03d7c9703ac7b696c7b2fb2d58dcb241
                                                          • Instruction Fuzzy Hash: DA11E134700716EFDB55DAAAD810A6FB395EBC4622F00817ED586CB340EF74EC0287A1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: db510d2e9667e3eb546236e92777acf66141be217ab32e2c27bee0ac863ffac9
                                                          • Instruction ID: a17b59c2f7577f55770561081e1fa64a7cd9fbdba91a6d1900f25d775999e651
                                                          • Opcode Fuzzy Hash: db510d2e9667e3eb546236e92777acf66141be217ab32e2c27bee0ac863ffac9
                                                          • Instruction Fuzzy Hash: 9511C2327056599FDB01DF65D8449AE7BF5EF89221B24416EE409C7282DB30CD06CBA0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b34a5caaf04792e02dfc020d47bb9e1b5b2aef2719cc90c40afb8592cde44e48
                                                          • Instruction ID: 4d50d25dcdb0cc377788c7dbc220e769ae2d1e4eb8c6cd9fe53956a957f018c3
                                                          • Opcode Fuzzy Hash: b34a5caaf04792e02dfc020d47bb9e1b5b2aef2719cc90c40afb8592cde44e48
                                                          • Instruction Fuzzy Hash: 9D01D6377053105B67149A7A785446AAF8BDBD1372324863FE616C7391DD31CC0593A1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 792c18d94dd6aff9787edc18c4ec515986133b88bfe6463776a51df788374e5e
                                                          • Instruction ID: cfa14fce3efa7295d3a19a39f10319d5f9d2f770c90fa8fb69e0d35bba1f347d
                                                          • Opcode Fuzzy Hash: 792c18d94dd6aff9787edc18c4ec515986133b88bfe6463776a51df788374e5e
                                                          • Instruction Fuzzy Hash: 1D01C432700214DBDB14DA18C94069FBBE6EBC8265B58803EE80DE7740DF31EC1587D0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c64aaa667910bbd67ca35ecf39e288541aa6a4e99af49c9ac2433594e6839d7e
                                                          • Instruction ID: 3e6a549ef58e6f002a587290d9c9b13d841043fbd5f5840edd39c9524874d482
                                                          • Opcode Fuzzy Hash: c64aaa667910bbd67ca35ecf39e288541aa6a4e99af49c9ac2433594e6839d7e
                                                          • Instruction Fuzzy Hash: 9E01F7767082258FC754CF59E8988AA7BA5FFC9226B1044BEE40AE7352CB719C03C760
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 00223559fae872ccbd8cb5a946418283c429343d8d039d20a1f17d482f837631
                                                          • Instruction ID: 35e1ac7f2be9a20b1346c6feaeae50d7359ca8c4c5fc158ea0c01e239c9f70f0
                                                          • Opcode Fuzzy Hash: 00223559fae872ccbd8cb5a946418283c429343d8d039d20a1f17d482f837631
                                                          • Instruction Fuzzy Hash: F50121757146149FCB44AF69E46896EBBE6EF8C62631480BDE40AC7351DF31DC01CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a4a85c234e7df318883234499530ac1eaf493e263f7f2d504addccf8bfea18ab
                                                          • Instruction ID: bafe348c7a7eac0b65a9b2d8249a0383eb669e11195d4cb7936c0c7399db6759
                                                          • Opcode Fuzzy Hash: a4a85c234e7df318883234499530ac1eaf493e263f7f2d504addccf8bfea18ab
                                                          • Instruction Fuzzy Hash: 4101A9343002009FE718EBA5D890BAFB3AAEFC5254F108978D1098F395DE72AD498B95
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735292272.0000000008B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b50000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 010d2deaa512b9943c2e5d05c1fc37fbe31ef57cfe50a1f898907a5d7b0d2faa
                                                          • Instruction ID: 884859576daed9228416e6bd247a56b520f1a08c1f8a396996d232a1466528aa
                                                          • Opcode Fuzzy Hash: 010d2deaa512b9943c2e5d05c1fc37fbe31ef57cfe50a1f898907a5d7b0d2faa
                                                          • Instruction Fuzzy Hash: BA111C35A01218CFCB58DB78D8546EDB7B2FF88252B5480A9DD02AB384CF75D846CF90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c9da2c17988358826294c9d25c973d609ca3624f0da06d0ba37492126a01d3e1
                                                          • Instruction ID: e14b1998ffc3512c53413cf8ffaeb406dbf07dbda80173bbe3290b18c040a09f
                                                          • Opcode Fuzzy Hash: c9da2c17988358826294c9d25c973d609ca3624f0da06d0ba37492126a01d3e1
                                                          • Instruction Fuzzy Hash: 1E116D32904218DFCB14EB58D948BDE7FF2EB88315F241098D405BB391C7725C89CB91
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1cf27c70e7f6aa66d78a27978a7ceac23cd9af5260a4688af1e342a42305aa46
                                                          • Instruction ID: 77c0363d29e2d9f1e4a61352ca5486400a9e1e5fb3e16bcaa8aef1028d3797f1
                                                          • Opcode Fuzzy Hash: 1cf27c70e7f6aa66d78a27978a7ceac23cd9af5260a4688af1e342a42305aa46
                                                          • Instruction Fuzzy Hash: 87014E326497A0DFC311D728D440E6BBBD59F81214F45816FE9C88B355CBB4EC44C7A5
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9ddebbb770233ed00f1ce65dae658c08b3991110ba984e2072a85ac6b71f0d30
                                                          • Instruction ID: b1d054f1c49b7753d70e5b9369e3bda801fe427dd001d0edbcc834b0bed6cb67
                                                          • Opcode Fuzzy Hash: 9ddebbb770233ed00f1ce65dae658c08b3991110ba984e2072a85ac6b71f0d30
                                                          • Instruction Fuzzy Hash: 6D11E5B53116118FC728CF29D598D6677B2FF8961232186ADE40A8BB31CB31EC02CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734696090.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b30000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9f73b72280e82a1e0a7ab54507f04bb5bb18b5b31108cd2233853c6db5ab43e9
                                                          • Instruction ID: 2140f4fdb667533e8ec189e01e3bb4c54c11e10daa356982edc1056d666e8095
                                                          • Opcode Fuzzy Hash: 9f73b72280e82a1e0a7ab54507f04bb5bb18b5b31108cd2233853c6db5ab43e9
                                                          • Instruction Fuzzy Hash: 5601D43160A7708FD7318E25C4807627BE8DF01252F0A44EED885CF392DA64E8459BA1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e0bc89e7244cd14b53d42e36c51122cd679cd125259c374279ce284835c33a97
                                                          • Instruction ID: bb3a2d31434204ca3e015326d5b5a96d0bc5dd7636646a3872aac2f0573aa613
                                                          • Opcode Fuzzy Hash: e0bc89e7244cd14b53d42e36c51122cd679cd125259c374279ce284835c33a97
                                                          • Instruction Fuzzy Hash: 3D01B5762042009FD748EBA9E850BBE37DBEFC8261B18C479E249CB252DE75DD098760
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a68c3a53c85d7ae8c1993fafab62bfef4191d2fdddbfbdeef26108c549715cc4
                                                          • Instruction ID: baa412703e0d7ba8e1e54b8353d856cd18556b425dd95cb577b96440447b2bc7
                                                          • Opcode Fuzzy Hash: a68c3a53c85d7ae8c1993fafab62bfef4191d2fdddbfbdeef26108c549715cc4
                                                          • Instruction Fuzzy Hash: 52117032A00118DFDB14EB58D548BDEBBF2EF88325F141099D505BB391CB726D85CB91
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5a3fc709c35c1eb35465c64260e9f55be959893e60f2d5d9acd352a5495b1ceb
                                                          • Instruction ID: 6d7c96b0c34006e95bffaf3e46a2f3b4dfcb982600d8e1c116f7999dd0154108
                                                          • Opcode Fuzzy Hash: 5a3fc709c35c1eb35465c64260e9f55be959893e60f2d5d9acd352a5495b1ceb
                                                          • Instruction Fuzzy Hash: 840184767045218FD714DB5CE89896ABBA5FF89326B2180AAE506E7361CB31DC02CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 282dd86a4c0a0f7610adb670786fef819d499bbf89970b509644476867cd0368
                                                          • Instruction ID: 77694776e56615662b1063260c70a254d2d83f8d23679131575f62ffa15475cc
                                                          • Opcode Fuzzy Hash: 282dd86a4c0a0f7610adb670786fef819d499bbf89970b509644476867cd0368
                                                          • Instruction Fuzzy Hash: AE017B32344300CBDB10AA25DC60BBFBB969FC0661F14C02EE50D8F691DEB4CD098791
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a27ced01073600cc4668c239860d40891e1db19ab1aa55f1340c3e35ed7aba7c
                                                          • Instruction ID: 75771b326f1e1dbae9b622f4c9db2cdd52232fa5f67103d6fb54d047888369d2
                                                          • Opcode Fuzzy Hash: a27ced01073600cc4668c239860d40891e1db19ab1aa55f1340c3e35ed7aba7c
                                                          • Instruction Fuzzy Hash: 9D018CA210E7D08FE723673C88283843F64AF03125F5E80EEC4849F163D52A480FE756
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5face0318a18f82a80f7da3ee6996a4b761f64d7fc8e3c8e94a547680846afcc
                                                          • Instruction ID: 446118ff429df66363be73efd44ee34e27355e970e33125d76b62b1a15931a65
                                                          • Opcode Fuzzy Hash: 5face0318a18f82a80f7da3ee6996a4b761f64d7fc8e3c8e94a547680846afcc
                                                          • Instruction Fuzzy Hash: C0012822744B81DFE7395B2594143B57BB6EF91753F0401FEC086C7A82CAE8848AC791
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cc769fa76ce58fa2da73fa2966da39a2f7344a7c0d0205019a0f78de72ec3d4f
                                                          • Instruction ID: a6cc6c89459b7807a3b05f4016cb6458bf4b26fb4f24f3ec7072ba5d1c8fdefe
                                                          • Opcode Fuzzy Hash: cc769fa76ce58fa2da73fa2966da39a2f7344a7c0d0205019a0f78de72ec3d4f
                                                          • Instruction Fuzzy Hash: 7001F7326453709FD320D629D440E6BB7E99FC0255F45C16AE8888B351CBB4EC8487A5
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e42b69257cdace8ee9cfeabdf86469edf1ed413a9b410b013f28633e2cd7d703
                                                          • Instruction ID: 2dffe4e2334463c46135f5274abba31d554fbe67c54cddc0c046b9e1ff14736d
                                                          • Opcode Fuzzy Hash: e42b69257cdace8ee9cfeabdf86469edf1ed413a9b410b013f28633e2cd7d703
                                                          • Instruction Fuzzy Hash: 450126327053908FCB56AB3598146293BAADEC715331E40FAE90DC7352CA24CC06DBA0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ace51e84fab82378c99d949bfaca8d0dd89674d7e7c6478a371b1c90e3b75b4a
                                                          • Instruction ID: d9f4a58db88c5ef6fbb60e2d7c419e1de4cf6128eb396aada10ea019f21d0615
                                                          • Opcode Fuzzy Hash: ace51e84fab82378c99d949bfaca8d0dd89674d7e7c6478a371b1c90e3b75b4a
                                                          • Instruction Fuzzy Hash: 9301B0753016118FC728DF2AD598D2677B6FF8961631186ADE40A8BB31CB31FC41CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 20dbd7dd4ded1d112ee0a9488142d06de956a558c08f7632fd86f9e3fb64306e
                                                          • Instruction ID: 8add85dbbce0f7c97f04a631c0d116510603f4472bb36fe4b57c71101fd2b9bd
                                                          • Opcode Fuzzy Hash: 20dbd7dd4ded1d112ee0a9488142d06de956a558c08f7632fd86f9e3fb64306e
                                                          • Instruction Fuzzy Hash: 25018C2140E7C2AFC713933868A809A7F726D13115B0981DBC0C5DF9ABCA29981AD7A3
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2731096452.0000000008480000.00000040.00000800.00020000.00000000.sdmp, Offset: 08480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8480000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 28722b7040a946c627ecb01681cf979f57903f75f109b1dce1520ca3db0dacef
                                                          • Instruction ID: c3721308f90c83216c280a4a74433621956e5002508d556b3721066d74079454
                                                          • Opcode Fuzzy Hash: 28722b7040a946c627ecb01681cf979f57903f75f109b1dce1520ca3db0dacef
                                                          • Instruction Fuzzy Hash: 320178337093849FCB035FE5AC9898ABFAADFD7251308406EE149C7362DAA58806C721
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2731096452.0000000008480000.00000040.00000800.00020000.00000000.sdmp, Offset: 08480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8480000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dd7dbaf65a036d4d0f8ac0378e0b8473d12326696ff8ad41e5211b5e67c1feda
                                                          • Instruction ID: aa50bca0ba01ca3ebd5280c10f7bf7cd3b923efab150ea33359d27ac0d3b2b94
                                                          • Opcode Fuzzy Hash: dd7dbaf65a036d4d0f8ac0378e0b8473d12326696ff8ad41e5211b5e67c1feda
                                                          • Instruction Fuzzy Hash: E801A270204705CFD720DF26E89099BBBE6EF852107008A2BE049C7661DA30AD098BA0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 193d9be5d27b618a9b1ecdcf2d61414009c2865184c67fb1e1e58c5e461a39dd
                                                          • Instruction ID: 0a8d05a2011d2be879a9d98a49ec0c4f1e58135ed80dd6fd7c92ff740048f08f
                                                          • Opcode Fuzzy Hash: 193d9be5d27b618a9b1ecdcf2d61414009c2865184c67fb1e1e58c5e461a39dd
                                                          • Instruction Fuzzy Hash: 1401F436701B51DBEB355A29D41837A76E6EBE0723F0400BDD44B83691CBFC9846CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e6b3d74cfbd66d9d987f6e2f66f2d7d3b2ec02270a85230fd3efef5f00516655
                                                          • Instruction ID: 6b2820960ecbc43809890d5944ef5429f9f95016d2ea9ee4c2c0d38b42282720
                                                          • Opcode Fuzzy Hash: e6b3d74cfbd66d9d987f6e2f66f2d7d3b2ec02270a85230fd3efef5f00516655
                                                          • Instruction Fuzzy Hash: 6DF02D3734D3811FC71652BD6C6457D5F568BC612171442AFE255CB3D3C99888048361
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: df963d3e44983d18a7689f0ce7270421cf57ddb289ae214edffb36887c7793b7
                                                          • Instruction ID: cd801d476c5053de769bf0924f9dcba32680238965bb503f24bfd5ea8f534227
                                                          • Opcode Fuzzy Hash: df963d3e44983d18a7689f0ce7270421cf57ddb289ae214edffb36887c7793b7
                                                          • Instruction Fuzzy Hash: F601B5729443A98BEB14EB98C804BEE7EF16F44309F14056DC051B7782CBB95D04C7A1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bd704df73ecaa42f59ca21bba3bf4f95a2cdbed50a01d60b444830df5a55ad2d
                                                          • Instruction ID: b6fcebe4d06833b82b7fb708d409b61a2d9c0facb393afc3ff8ddf695bd2bb86
                                                          • Opcode Fuzzy Hash: bd704df73ecaa42f59ca21bba3bf4f95a2cdbed50a01d60b444830df5a55ad2d
                                                          • Instruction Fuzzy Hash: 5311D675A04119CFCB04DBA8C694E9EB7F1BB4C210F214294D459AB3A1CA31EE41CFA0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cdb8f8d94c22e10f525f23226f96f157ff713bfa2ae48853735dada54e79160e
                                                          • Instruction ID: d47643f85c0781dc6673ead543a5247ed877c38b1e5b6f091772ed53879fe0da
                                                          • Opcode Fuzzy Hash: cdb8f8d94c22e10f525f23226f96f157ff713bfa2ae48853735dada54e79160e
                                                          • Instruction Fuzzy Hash: 1101B17090436A8BEF25CFA4C5097EEBBF1AB48701F0444ADD451B7281CFB95904C7A1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e06f0241edd337d342d580ab8ee9c8cbe282e9c6fb928bf2aafa93cb3072f7e6
                                                          • Instruction ID: a0be46add25540f2c8ed2ccd0aafbd8cb830752624a86a4b2bb72910529e5155
                                                          • Opcode Fuzzy Hash: e06f0241edd337d342d580ab8ee9c8cbe282e9c6fb928bf2aafa93cb3072f7e6
                                                          • Instruction Fuzzy Hash: A1019A71801249EFCF109FA4D844AACBFB2FF04356F14406AF512AB662CB398981CF40
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7b1e7af6939e0011228c9f215ba9706387fcd41c8dc390f85817cd3b1a4d3976
                                                          • Instruction ID: ab2ca6cfc1f1f6d6cceb404171a683f97680abf1338ad606833f6978fae3d56c
                                                          • Opcode Fuzzy Hash: 7b1e7af6939e0011228c9f215ba9706387fcd41c8dc390f85817cd3b1a4d3976
                                                          • Instruction Fuzzy Hash: ABF04632B0A398AFEB218664DC447E9BF79AF82310F0002FFC405DB282CB701804C751
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: af0c8a04f6e5ebf8821c90a68afcd3684a73ef0c721768c9dcedc78e382bbf2b
                                                          • Instruction ID: d2fbbe28bd9cdc2024a96d2a35d18b10ea74b756647b05802cc6d28bc69d7b3c
                                                          • Opcode Fuzzy Hash: af0c8a04f6e5ebf8821c90a68afcd3684a73ef0c721768c9dcedc78e382bbf2b
                                                          • Instruction Fuzzy Hash: A201C831A04619CFDB14AF64D95CAAEBFB5FF48712F10856DD402A72A5DF74A800CBA1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2731096452.0000000008480000.00000040.00000800.00020000.00000000.sdmp, Offset: 08480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8480000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d81c148695c0ed3008168c698212bdc1aa3c9551342e3902b4757e9e90aafe54
                                                          • Instruction ID: 0c81bc7779902c9781bc108d09c52b2c73066781a095973f64976202deb7e886
                                                          • Opcode Fuzzy Hash: d81c148695c0ed3008168c698212bdc1aa3c9551342e3902b4757e9e90aafe54
                                                          • Instruction Fuzzy Hash: F6F0543220E3D4AFCB031B99AC949CB7F79AF471657094197F688CB153CA288C46D776
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 90ac7331eaf091aff47767e11d571456c879d3b94c6f16a16f99e527f7aa905b
                                                          • Instruction ID: c23c329952c784d69744221288fda631524497228beb1fe386ac611eaa9c5a6f
                                                          • Opcode Fuzzy Hash: 90ac7331eaf091aff47767e11d571456c879d3b94c6f16a16f99e527f7aa905b
                                                          • Instruction Fuzzy Hash: 8AF0345194E7C11EC323A334A86878A7FA40F83021F0A88DFC0C48F8A3C158440AC7E7
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 04028a45040d177cd933f6668baa3dfdedac2131559c0d1d27475868757054c7
                                                          • Instruction ID: bae3a43080e508d09816397c5de4cfa897b3ac805d43d2d6c94e595557a96352
                                                          • Opcode Fuzzy Hash: 04028a45040d177cd933f6668baa3dfdedac2131559c0d1d27475868757054c7
                                                          • Instruction Fuzzy Hash: 0CF0F22908E3D11FCB23A378ADA41C87F349C43189B2A41DAC1C2EF867C609581F9777
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6412c23cbef48bb6bafaf8e0cde201073bc309438d23075a79bbee9178866759
                                                          • Instruction ID: 147ddcb6aafce35e02e4575b8e130612558cdc7c13b73a475c2b12539bb57227
                                                          • Opcode Fuzzy Hash: 6412c23cbef48bb6bafaf8e0cde201073bc309438d23075a79bbee9178866759
                                                          • Instruction Fuzzy Hash: 3FF0FB1A44E3D01EEB2B133458282953F344E23006F5A92DBD6C1CF5EBC65A680AC3B3
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 40c8ed5fd12a75828eb17bba368463c7ac206e3871c75dd5b21c1beda83574dc
                                                          • Instruction ID: 8edcb51cf2f115d1578f9d6de2c8df1b225491527328a97bea59d7b26c9d56b2
                                                          • Opcode Fuzzy Hash: 40c8ed5fd12a75828eb17bba368463c7ac206e3871c75dd5b21c1beda83574dc
                                                          • Instruction Fuzzy Hash: 75F0C9A284E3C14FD713A3789869654BF701E17410B4E40DBC4D4CF1A3E4588959CFA3
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6c938e1dd121daa8a27e9c44781a241c03756ee032dff5771ebc737ec7f90b7b
                                                          • Instruction ID: e4097cdb8f8d3136ac70a8c52d513781b9ee3794c22817a6b13767625a3de6f7
                                                          • Opcode Fuzzy Hash: 6c938e1dd121daa8a27e9c44781a241c03756ee032dff5771ebc737ec7f90b7b
                                                          • Instruction Fuzzy Hash: ADF09071E043189FCB11DFB5D8045EEBBB8EE49611B0086AAD456D7242EB748705CFF2
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 44de1bef9781d474441f0524a2898871ec99c2996ad5a0827773d14aa0d2c369
                                                          • Instruction ID: 22b505d36e3a54a93aed61c0e2beefb7663628a622a99ea683309679a3ccf22f
                                                          • Opcode Fuzzy Hash: 44de1bef9781d474441f0524a2898871ec99c2996ad5a0827773d14aa0d2c369
                                                          • Instruction Fuzzy Hash: C5F0E27154D7C59FC71363B8B42C55ABF296A4251AF08C0EFD089DF45BCA359409C7D2
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2731096452.0000000008480000.00000040.00000800.00020000.00000000.sdmp, Offset: 08480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8480000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ca722c49c703d2836519452c2bed46c9a670d25fa63bad72c12a54dfe40991f2
                                                          • Instruction ID: 3a8664f0f51f249b1fa4142202f38561fce0a5a9334f9ed2d7db371a3f941a00
                                                          • Opcode Fuzzy Hash: ca722c49c703d2836519452c2bed46c9a670d25fa63bad72c12a54dfe40991f2
                                                          • Instruction Fuzzy Hash: C1F08C7515E2908FD3039B74E4588907F66EF0B26072A80DBE4A98B6A3C5198803C762
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5532b9e5942ab50bd43828dfcf010be6934aa05c3cc942f411375103b9af2785
                                                          • Instruction ID: 89df17024b9ecb22ba617a596b000fdb5a6d921da3b80169a55456dd4e39c81b
                                                          • Opcode Fuzzy Hash: 5532b9e5942ab50bd43828dfcf010be6934aa05c3cc942f411375103b9af2785
                                                          • Instruction Fuzzy Hash: C3F0BE7AB456518FCB15EF24DC809ED7732FF8521771541AAD805DB362C721EC02CBA0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a98b1f659a226ee56a8e3910eba070e48ae674d1b4a4712c6cab648713eb19ee
                                                          • Instruction ID: 7edc13cab3db4be6af524a07eaf895eda04d40ce5542eae12bad6cffcb0a6121
                                                          • Opcode Fuzzy Hash: a98b1f659a226ee56a8e3910eba070e48ae674d1b4a4712c6cab648713eb19ee
                                                          • Instruction Fuzzy Hash: F9F030753096618FC701DB69E4988697BF6FF9921631584DAD406D7367DB30DC42CB20
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bcc1e9e4b7d4dc72d58d7b32adf0e3699e2297406579f6f852cdcf54ae720ab8
                                                          • Instruction ID: e9bd716bf4880b3395e5f6877e6163eec8e6d88d242ad3f8a2cc06288a4f76f3
                                                          • Opcode Fuzzy Hash: bcc1e9e4b7d4dc72d58d7b32adf0e3699e2297406579f6f852cdcf54ae720ab8
                                                          • Instruction Fuzzy Hash: 63F0A7323001209BCA109B5EE508A6BB7AFEFC9626B14406EF20AC7351CF61DC024790
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2fc5c908e84d077f6a3d26b094dd6445aafa6b3c01dfa5cbca9bdaa75e7973f1
                                                          • Instruction ID: 006d0e693b42147dbcf82d44b041821cfa418f8793fbc1b27051ffd5688668a7
                                                          • Opcode Fuzzy Hash: 2fc5c908e84d077f6a3d26b094dd6445aafa6b3c01dfa5cbca9bdaa75e7973f1
                                                          • Instruction Fuzzy Hash: 89F09672A493C29FEF11C735C8543A53BB1AB03316F2941FDE405CAA96D73A8446D711
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9ec5e3061c4c73ae149685fab69c77e9362e61f69f7a563608f252e6d9ea0573
                                                          • Instruction ID: 85b2c16bcb9c96a5bf081ff8cf6662edc14faff1e07cf5fa90fcb8271f611730
                                                          • Opcode Fuzzy Hash: 9ec5e3061c4c73ae149685fab69c77e9362e61f69f7a563608f252e6d9ea0573
                                                          • Instruction Fuzzy Hash: D0F0F02420E3800FC3239738982055E3FB28BC311070545AFC186CF692CF6C9C0D87A6
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d9687a3fc313648a0a80d699feb3b5e93c301a1e9dae73c0a0ce90e9af1fd911
                                                          • Instruction ID: 9c9ba83ad1b1725ab3fed77c8c04c508a7f09984251f540c6d5e0daa97d51981
                                                          • Opcode Fuzzy Hash: d9687a3fc313648a0a80d699feb3b5e93c301a1e9dae73c0a0ce90e9af1fd911
                                                          • Instruction Fuzzy Hash: 8901E4B4E0021ADF8F40DFA9C940AEEBBF5FF48241B10846AE915E7311EB309911CFA0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d97334efd651e27ab2b55fb395c46aa47fa49be9eacf6862fb681d88bd3b8716
                                                          • Instruction ID: 3c11d341b27c4ca663f4a5d87aeef1983e73b44733ad7fcc512ee512ff2a520b
                                                          • Opcode Fuzzy Hash: d97334efd651e27ab2b55fb395c46aa47fa49be9eacf6862fb681d88bd3b8716
                                                          • Instruction Fuzzy Hash: 74F0E5727542502F8706966D986486A7BEE9FCE122315419FE149C7332C911EC0687A1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5bc53b16892fa744f8581393039a429551788b1ebed98351787af36f27cc610c
                                                          • Instruction ID: e8e56dd09669e03d3e66fed637415f22c46fcc60ce3398cb7885499418885292
                                                          • Opcode Fuzzy Hash: 5bc53b16892fa744f8581393039a429551788b1ebed98351787af36f27cc610c
                                                          • Instruction Fuzzy Hash: D4F0E932240290DFC335971AD414B5A77AACFC111B714507FD80DC7B51CAA0D809C761
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b61403788a175ca27b7ebe3b94777a51c5c8f614ef92cc8ccc862a68ab86e54b
                                                          • Instruction ID: b598cbfbad913844794d0298641601a139333a598ed67c30ea4a7201b80eb431
                                                          • Opcode Fuzzy Hash: b61403788a175ca27b7ebe3b94777a51c5c8f614ef92cc8ccc862a68ab86e54b
                                                          • Instruction Fuzzy Hash: A9F0B4743193405FC3198B3DA4948267BB6EFC922531440BED04ACB362CAB2DC06C754
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2731096452.0000000008480000.00000040.00000800.00020000.00000000.sdmp, Offset: 08480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8480000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 233903cb2ca8bc70bbf6caffab2e9390d85edeb1117857a63ec5652fbcfcfd5e
                                                          • Instruction ID: b675d3b0be36e3c8cf3cbf25a2022bd2975df10facd53168a13dd70ae8e3bb74
                                                          • Opcode Fuzzy Hash: 233903cb2ca8bc70bbf6caffab2e9390d85edeb1117857a63ec5652fbcfcfd5e
                                                          • Instruction Fuzzy Hash: 1CF01D71204709DBD720DF6AE88094BB7E6EF84214700CA3EE45A87625DA70EE598B90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9199b07490dc10ed26d30bc1d0cc94503e9d60d304f080968720b2ff3315f7ec
                                                          • Instruction ID: d453a61b9961730847b4fade05bf561e7e8fc49d581d8dc22ca3c275b2a5c69b
                                                          • Opcode Fuzzy Hash: 9199b07490dc10ed26d30bc1d0cc94503e9d60d304f080968720b2ff3315f7ec
                                                          • Instruction Fuzzy Hash: 34F08239B01114ABDB05E7A4E5106FDB7A3EBC8610B14C068E906A7384DE358D1657D1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735292272.0000000008B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b50000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d18278c2621dc7b26dfcb9e95685984572e161ebbb281e16f536121bfd67a30b
                                                          • Instruction ID: e1a846f79031f41afd3be9cd3375454dbd63da94887d6d97ece22cbe507a8329
                                                          • Opcode Fuzzy Hash: d18278c2621dc7b26dfcb9e95685984572e161ebbb281e16f536121bfd67a30b
                                                          • Instruction Fuzzy Hash: 89F027359062404FCB05EA38E88C4EA7F72DEDA51230480E8C466DF206CA21880ACF31
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2731096452.0000000008480000.00000040.00000800.00020000.00000000.sdmp, Offset: 08480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8480000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bfdcea6fedfb8177ff69adacb7a82e51eb983bbc90e201387d16ec3767953701
                                                          • Instruction ID: c8e66f99e2db13b5f5befd40f4baf08d0e474b167d66335994724c66a97f46a0
                                                          • Opcode Fuzzy Hash: bfdcea6fedfb8177ff69adacb7a82e51eb983bbc90e201387d16ec3767953701
                                                          • Instruction Fuzzy Hash: 71F0E536B00214DBCB146678D8044EE77BAEBC8221B05003AE907E3340DF799C068B91
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d9145413b7d0453dd96799029295a557f4c8fb8262dc92bafbd38d647ff8a9f0
                                                          • Instruction ID: eb96d57333dca295c0a260bcc5e659ade5cf4ef3c573a31e84b3f27eb8f91150
                                                          • Opcode Fuzzy Hash: d9145413b7d0453dd96799029295a557f4c8fb8262dc92bafbd38d647ff8a9f0
                                                          • Instruction Fuzzy Hash: 38F02737E01B159FD3125538B4083E67B90DB41367F08052AD559C61E1DE68C8828BC0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2731096452.0000000008480000.00000040.00000800.00020000.00000000.sdmp, Offset: 08480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8480000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 991b1bafbf427f63952cc6cdf4923f41c38e60eeab5780478253bc33dda4f380
                                                          • Instruction ID: 3231e3b00428c065c21e8b9d33baff939f59a53ec02f075f4cd38168c33f19d8
                                                          • Opcode Fuzzy Hash: 991b1bafbf427f63952cc6cdf4923f41c38e60eeab5780478253bc33dda4f380
                                                          • Instruction Fuzzy Hash: 3EE06536B0425897CB156669D8044EE77FEEBC8261B05007AE906E3340DF759C068B91
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5074dd07b0b777fec5ddcf33089618d0568fe40762639349d34483171f31029c
                                                          • Instruction ID: 3c94bc4438596caaeb49af4b37e057997dc18a9a5415df0bd2b085c749451db9
                                                          • Opcode Fuzzy Hash: 5074dd07b0b777fec5ddcf33089618d0568fe40762639349d34483171f31029c
                                                          • Instruction Fuzzy Hash: D2F0BE35A00715DBCB10EB62D40495AB3E6EB88221B00C42CD42A93700CB34FC46CB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0db19db05fe4677147396a7756af2a5359cc77955d9140ac3dbc0b629d20f4ec
                                                          • Instruction ID: c3b97005207dfca36218dfca5ccf45ea76dcba8633a14b7b4bb0641ef5062d39
                                                          • Opcode Fuzzy Hash: 0db19db05fe4677147396a7756af2a5359cc77955d9140ac3dbc0b629d20f4ec
                                                          • Instruction Fuzzy Hash: 34E0653984E3C48FCB036378A5380A83FB0084301670E40DBC4C9CB97BCA29080ADB23
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 50d00bf2522ee2bc653794b9e18ffd795938fb17ce4f2a043213be503c8752b7
                                                          • Instruction ID: 8fa3414a2bac27f0c27d27c98c9127919eccb5c28d3679b5efbc66bf0cc00497
                                                          • Opcode Fuzzy Hash: 50d00bf2522ee2bc653794b9e18ffd795938fb17ce4f2a043213be503c8752b7
                                                          • Instruction Fuzzy Hash: 8BE04FA280E7C04FC71363749C684D87F700D63115B1A16DFC4EACF2F3E51A091A8762
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f3ca04d279ba5cf6222c547ddb61451bd8f46e04763af9720eb6b983401a7690
                                                          • Instruction ID: 68967942d92ae62e587028ef5def49933c9cc5800d381d0d4815350eac0d613a
                                                          • Opcode Fuzzy Hash: f3ca04d279ba5cf6222c547ddb61451bd8f46e04763af9720eb6b983401a7690
                                                          • Instruction Fuzzy Hash: C0E08C6684E3D01ED72363786C282883F340E13002F1A40DFD1C0CF8ABC45A241A87B3
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8566d08247567ed601134f006f971ce80636a5c2dae46d1e3a7f9b6422f159dc
                                                          • Instruction ID: 0e74e7992d518ae0db0d5fb4dd77224a3e08d6602f6d7b11c4b4c6e8bc1b1afc
                                                          • Opcode Fuzzy Hash: 8566d08247567ed601134f006f971ce80636a5c2dae46d1e3a7f9b6422f159dc
                                                          • Instruction Fuzzy Hash: B8E09A6290D3C08ED713527458790947F719D53205B1A45EBD4D4CB153D515152ACB63
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2e574bea06a5dde861de9dd1b7965ab3e8abd6ec088972b41640a8d010f772b9
                                                          • Instruction ID: 75b55f5fa555601bd0930197d1a4e2b4a188cafd2d09d04447c81664d4a6f844
                                                          • Opcode Fuzzy Hash: 2e574bea06a5dde861de9dd1b7965ab3e8abd6ec088972b41640a8d010f772b9
                                                          • Instruction Fuzzy Hash: 35F09231906398AFDF11DFB489412EDBFF89F02106F1141FAD944D7142E6388799C791
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2731096452.0000000008480000.00000040.00000800.00020000.00000000.sdmp, Offset: 08480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8480000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4416c795899f3d3c2d02a0c042d885435f0bb0bd1649dc510ea826251979992e
                                                          • Instruction ID: 3badd08c539a9e61f4db406b8aff34f95d7150da474168c09d5960fac18864c5
                                                          • Opcode Fuzzy Hash: 4416c795899f3d3c2d02a0c042d885435f0bb0bd1649dc510ea826251979992e
                                                          • Instruction Fuzzy Hash: 1CE09232205248ABCB115FCAA884EDBBBADEF89261F44802BF60883212DA7088149765
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 239472596f3022a3e4890f01d6a72f6884802765d311bd8020e6113dc21a83f2
                                                          • Instruction ID: a734ab37dc196fabb5021d46bcba515378837520f0a81b2b03dd9d0d034e7fde
                                                          • Opcode Fuzzy Hash: 239472596f3022a3e4890f01d6a72f6884802765d311bd8020e6113dc21a83f2
                                                          • Instruction Fuzzy Hash: 4EE09237A42B289BD7215A79A8083E27298DB81377F08453DD929C71D1DE69C8808BC1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: be880cbcf8c7c3a9af0de4ae3e3f7b0cc5ee272a83b586f3ddf4cf5c2e0bd987
                                                          • Instruction ID: 02a2fbb297375e5ecd5fbe357073fb8d118369e795ffe0c301e5744dfbc5e1fe
                                                          • Opcode Fuzzy Hash: be880cbcf8c7c3a9af0de4ae3e3f7b0cc5ee272a83b586f3ddf4cf5c2e0bd987
                                                          • Instruction Fuzzy Hash: BEF0EC794093808FD301DB34D8853833BE15F83359F1885A9C14C8F292DAB9484E87E2
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 98491ee82e262c4f24519b2c740cfd77e26c158f9b8e7cd41821c142b666d9e7
                                                          • Instruction ID: cb2e47fb7623f1b7a2cba4f18f7d65b1312bfe5f465405474c5139eaf17f53de
                                                          • Opcode Fuzzy Hash: 98491ee82e262c4f24519b2c740cfd77e26c158f9b8e7cd41821c142b666d9e7
                                                          • Instruction Fuzzy Hash: B6E08C2104E3C40ECB1313742D292C83F741E03109B1D84CBC484EB1ABC95A041AC7B6
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 91c5442cbdd93efc71cbd68bd7d8da8a6651488b3018c21bdd935618949381ee
                                                          • Instruction ID: 3f7a7c034dcfc493a53e41cd97b74dade03d41e300674d9cf2d247cc1b3ca4d5
                                                          • Opcode Fuzzy Hash: 91c5442cbdd93efc71cbd68bd7d8da8a6651488b3018c21bdd935618949381ee
                                                          • Instruction Fuzzy Hash: 55F0A076D0534ACBE718DBA0D9583BE37B2BB84746F141868C013AB2D1CBBC48428B45
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1bf49124a2326bbc33dc6f56e3488db2279972abc32f18037e1aee902d4ea301
                                                          • Instruction ID: e3a16982618ad38a41792362e0e718aa7c31cafb60531017fca06fba0bb48f4c
                                                          • Opcode Fuzzy Hash: 1bf49124a2326bbc33dc6f56e3488db2279972abc32f18037e1aee902d4ea301
                                                          • Instruction Fuzzy Hash: 0EE06D323006509FC374AA2AD414B5A73ABDF8026B700407ED80AC7B50CBB0E844CB61
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c67189c260c389a41cf247d172636fb9665e1a0f9bc54269e25147fc53bbf89b
                                                          • Instruction ID: d04d5cac1e23337ab5207be64ad7f5a6d95ef86bc8df4e3a6a2e810531128de3
                                                          • Opcode Fuzzy Hash: c67189c260c389a41cf247d172636fb9665e1a0f9bc54269e25147fc53bbf89b
                                                          • Instruction Fuzzy Hash: CFE04F323053145F87209A9AE49886BBFEEDBC8565318816EE10DC7312DEA4EC09CBA1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 000d61ba6e37def5ea0f81e8471b4328768795b34e32287a32d8c5b99a06782e
                                                          • Instruction ID: d36c4dafea3152af94b03bfaff3bdf88dcfdbc573c7aeaa1f1af3ad3e7be5cda
                                                          • Opcode Fuzzy Hash: 000d61ba6e37def5ea0f81e8471b4328768795b34e32287a32d8c5b99a06782e
                                                          • Instruction Fuzzy Hash: A9E08C767101105B4718EA6EE844C2BB7EFDFCC62131441AEF10AD3321CE60EC0287A4
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 629ec01b28322ca706744193d7acd7e9a416407fb7e8e662698092e2ef47c441
                                                          • Instruction ID: c6f6e6f9e1cf97b562a935ffedd46b198f2d6a54f61a31490a564e731c4e552a
                                                          • Opcode Fuzzy Hash: 629ec01b28322ca706744193d7acd7e9a416407fb7e8e662698092e2ef47c441
                                                          • Instruction Fuzzy Hash: 23D05EE388E3C04FCB0312A019680D83F31295301672E55EBC088DF7A7D51A191BA732
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 105352dd219d691f2586ac155f891cf23b8ef72f2f04c8fb5ab6762fe4912d5a
                                                          • Instruction ID: f3559b22722553d6bb1e9758e31455130d6749f002d9dec623c2d1c2fd96700c
                                                          • Opcode Fuzzy Hash: 105352dd219d691f2586ac155f891cf23b8ef72f2f04c8fb5ab6762fe4912d5a
                                                          • Instruction Fuzzy Hash: 6FE0DF36300B105BC361AB6DE40465F33E7DBC5221B00893DD20A8F780DFB8AC490BE6
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2731096452.0000000008480000.00000040.00000800.00020000.00000000.sdmp, Offset: 08480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8480000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 522d1adc8e7138902be0b1d30b1761610e7027bd6db46a259d6fa30f130cedb2
                                                          • Instruction ID: 4b97dfa307a2de16b8803c030fc054350b932515fd45030c54d1f630bbdb5208
                                                          • Opcode Fuzzy Hash: 522d1adc8e7138902be0b1d30b1761610e7027bd6db46a259d6fa30f130cedb2
                                                          • Instruction Fuzzy Hash: F5E0D835204350DFC702D7A4E808A9D7F75EF06215F0640D7E5089B363C6389D0587A5
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2731096452.0000000008480000.00000040.00000800.00020000.00000000.sdmp, Offset: 08480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8480000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b746310a7b1182dad59448abbf511a5134bc07f380308e6f18b4c9a804ef18a8
                                                          • Instruction ID: 4f27c61ad379683616cdcd6baf88f91e799b2f7ed867a8f95e7c8edda2cc509b
                                                          • Opcode Fuzzy Hash: b746310a7b1182dad59448abbf511a5134bc07f380308e6f18b4c9a804ef18a8
                                                          • Instruction Fuzzy Hash: 82E0D83021D3804BD342E77CE410B953BA3DB8511075581A6D151DF267DFA48C07C3D2
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 14bc3e5dab84b34741b7b12683d23702eeedd7048907baeee475f56ea5617da3
                                                          • Instruction ID: e0314a9d76bc9f120410e8f5369b58511a6432167b64975aef008f07a423ae80
                                                          • Opcode Fuzzy Hash: 14bc3e5dab84b34741b7b12683d23702eeedd7048907baeee475f56ea5617da3
                                                          • Instruction Fuzzy Hash: BEE065317003828FEB509B76D85836A36A5FB83706F5080B8E209C6285EB3E88829B50
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5b85ac68c57266da90e3f4e6aa35d4106e4f7b03108be270d80288bbb415d6ba
                                                          • Instruction ID: eb809f1589fed5804694003eed4023a61bddb533659dd5d72a4f2d8df980d45d
                                                          • Opcode Fuzzy Hash: 5b85ac68c57266da90e3f4e6aa35d4106e4f7b03108be270d80288bbb415d6ba
                                                          • Instruction Fuzzy Hash: BCE0CD717552144FC701A7F9E4550AD3F6AEF8750032540D6D149DF763DA229C0A57D1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ebe419e08cf8a0de8e7b52156a198e2f20f2d74ab8becb31ee03913fc159e50f
                                                          • Instruction ID: 9a223a7dc3917caa9ff4f8c1ef8066badc0d8eaf263461213892dbffa2506c2c
                                                          • Opcode Fuzzy Hash: ebe419e08cf8a0de8e7b52156a198e2f20f2d74ab8becb31ee03913fc159e50f
                                                          • Instruction Fuzzy Hash: AAE09232C0D289CFCB0A9B64EC590FEBF70DE11212B4442EED847E21D2D634194ACF81
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741558949.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4bc892d0597d867afc06318864edc2b4b986d020b1cf393260f0c80c6bde9430
                                                          • Instruction ID: ae7311f8f88f70290c847115147379148786fb139c1a7a5f8b07a6abf3b182eb
                                                          • Opcode Fuzzy Hash: 4bc892d0597d867afc06318864edc2b4b986d020b1cf393260f0c80c6bde9430
                                                          • Instruction Fuzzy Hash: C5E0DF3260A3D48AC7235A79A4044693F288D831A632D01FFE80CCB202C525C8029BA2
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ebaf4463a7b6cd6eee309b99f1c51a4833b9f98439decc6c65ed941c63846ff2
                                                          • Instruction ID: f3932d83f6f99c1da72b67a76765bdb50b881e312b32cc3ddd469e0402210cbd
                                                          • Opcode Fuzzy Hash: ebaf4463a7b6cd6eee309b99f1c51a4833b9f98439decc6c65ed941c63846ff2
                                                          • Instruction Fuzzy Hash: 40E0263860D3458FCB09ABB8A9285253F66AF8521130844E9D8968B773EF28DC81CB40
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5cb5c60113ecb4e927c9c317ca1e7fc778770b05aa658907ca1aec80ddfa8661
                                                          • Instruction ID: c787cf0a9d568e5272c7105c36d712d6ca30b688c610d764af19af7b8bdb4bab
                                                          • Opcode Fuzzy Hash: 5cb5c60113ecb4e927c9c317ca1e7fc778770b05aa658907ca1aec80ddfa8661
                                                          • Instruction Fuzzy Hash: 31D0A92284E3D48FC3076338A42C3C83FA80E13022F0D90CAD888CF02BC6181808C7A3
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734696090.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b30000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6936a2b2029bc7a2b7e5bd1548c432e9ef3dcb5c6f987a9ecae8f9a3563414e3
                                                          • Instruction ID: 24b7d0669d90be28d18d26c6068f6ba4595c313836129f8563e34d0d1005f4d6
                                                          • Opcode Fuzzy Hash: 6936a2b2029bc7a2b7e5bd1548c432e9ef3dcb5c6f987a9ecae8f9a3563414e3
                                                          • Instruction Fuzzy Hash: 18E08636604A01CFD710EBA5E8407ADB752EBC4361F00857AC56AC7641CB79A95A9B41
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734696090.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b30000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 206bd29f2157b5db2e77c5678b1c70f0bffcb374d333fd7eca447feea588e85d
                                                          • Instruction ID: ed802e9eeceeec991b2adb6a6005d49b70e1c747ee575a5175ca06f3d42f53bd
                                                          • Opcode Fuzzy Hash: 206bd29f2157b5db2e77c5678b1c70f0bffcb374d333fd7eca447feea588e85d
                                                          • Instruction Fuzzy Hash: 84E02636204600CFC700EB84E84076DB352DBC0321F008439C15AC7640DB38A94ACB42
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734696090.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8b30000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6aa8dae538f0784bd008b256c2c5864762ed80f7f1d05c8bb89df1222c9033cd
                                                          • Instruction ID: 766125e306f5d38b7aeafcc8cb357d9220253e5a26894764a92cd60b1005d63d
                                                          • Opcode Fuzzy Hash: 6aa8dae538f0784bd008b256c2c5864762ed80f7f1d05c8bb89df1222c9033cd
                                                          • Instruction Fuzzy Hash: BCE08636204611DFD710EB95E8407ADB793DBC4361F408879C25AC7681DB39A99A9B41
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ab2caec5c4ad7589538a329d9c8444c98e25205415643e396e0a961b51d3dd32
                                                          • Instruction ID: 2b72262267c0a3201024d68e01f3ead3f37dfd272caac430a3e57ddce6cbe5d3
                                                          • Opcode Fuzzy Hash: ab2caec5c4ad7589538a329d9c8444c98e25205415643e396e0a961b51d3dd32
                                                          • Instruction Fuzzy Hash: 06E086791113449BE310EB38D88578377D59B82319F04897CC6094F396DFFA988647D1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e9c8a07c372f511b25662d9bd2429a99aa95308c615e526305cffc6b01228e03
                                                          • Instruction ID: 5617cec29595784c0001c1d730d76752d8ce5087074616962715738083a94eb6
                                                          • Opcode Fuzzy Hash: e9c8a07c372f511b25662d9bd2429a99aa95308c615e526305cffc6b01228e03
                                                          • Instruction Fuzzy Hash: 03D0A7307501149BC700F7FDE00446D3BDE9FC6A107600065E105DF351CE62EC0423D5
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 56391ff7479e1cc2d7d95c9a20ce039bd1f5010223af68eac40254ce14d9a9f2
                                                          • Instruction ID: 9af5b075fb496036b15bfd9789d67d721c21864c8d28526292954b4adf23f12e
                                                          • Opcode Fuzzy Hash: 56391ff7479e1cc2d7d95c9a20ce039bd1f5010223af68eac40254ce14d9a9f2
                                                          • Instruction Fuzzy Hash: 85E04675A14118DFCB04DF94F8889AEBBB1FF89326F10806AE542A7261CB30AD54CF50
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 06cd56914daf92355b872fcc2e1a3c93b4a48328332906776f0090983a508841
                                                          • Instruction ID: 901430e00e37d0db9eb107011eaf412bb9b5d6cecafc0e91051164401ce2c656
                                                          • Opcode Fuzzy Hash: 06cd56914daf92355b872fcc2e1a3c93b4a48328332906776f0090983a508841
                                                          • Instruction Fuzzy Hash: EEE04639E0120ACBCB18DFA0E8087EEB371EB8431AF144068C9166B2D1CB781D46CB40
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2731096452.0000000008480000.00000040.00000800.00020000.00000000.sdmp, Offset: 08480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8480000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 779af6d8a91d31cfb9e6e26dee080a1cf0d6e9d0f29e9868400db4db77ebb3ab
                                                          • Instruction ID: f70fc84713b164de744e5797a03217a6d11f43db32b4e67aacf6fee6a01b85b3
                                                          • Opcode Fuzzy Hash: 779af6d8a91d31cfb9e6e26dee080a1cf0d6e9d0f29e9868400db4db77ebb3ab
                                                          • Instruction Fuzzy Hash: CFD05E392101149FC341EB69E508D457BAAEB482657114095EA0DCB362CA65DC018BA1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2731096452.0000000008480000.00000040.00000800.00020000.00000000.sdmp, Offset: 08480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8480000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 755da590678f38c3497bb4456e3a751b431ac80fcb4eafed804d235afe64b1dd
                                                          • Instruction ID: 9cdde589abcd50589c7d21d151217bcfd43cb5d2c2aad9760e8ee80ca8b12c43
                                                          • Opcode Fuzzy Hash: 755da590678f38c3497bb4456e3a751b431ac80fcb4eafed804d235afe64b1dd
                                                          • Instruction Fuzzy Hash: 51D05E392006109FC300EBA8E908E597BA9EB49311F1140AAEA098B362CA35DC058BE1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1151d60cdf3e12640aef714c576cb91ea08c7254cc832900921af2693030a7c6
                                                          • Instruction ID: 011641e813e1530729f0a9654d030665805d740571be244bb9138b71adc2dd01
                                                          • Opcode Fuzzy Hash: 1151d60cdf3e12640aef714c576cb91ea08c7254cc832900921af2693030a7c6
                                                          • Instruction Fuzzy Hash: FAD06735D05149DBCB1CABA4ED5A4FDBB34EE14202F40416DD90B622D2EB342A56CF81
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 843b7e30a9e76b82db3139074afbdd8abaaa5a8aa3265e1fe370b6a7dabfa62f
                                                          • Instruction ID: ab3cec4a985715076f78fc74fc0a2a0a1c80b7d31a605d398380a02d7318b70c
                                                          • Opcode Fuzzy Hash: 843b7e30a9e76b82db3139074afbdd8abaaa5a8aa3265e1fe370b6a7dabfa62f
                                                          • Instruction Fuzzy Hash: B0C08C7080D3941FD70322B42C540C07F2E98165173218292E944C72638A27680347B2
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2734068592.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8af0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e5c37a0bd046a0caab4dde19675a668642c01b72f808ae990194a5c3f1719b28
                                                          • Instruction ID: 770bfebfa119a75939b3c504afcd86f24a33f89dc7191ae7995888f6df49319c
                                                          • Opcode Fuzzy Hash: e5c37a0bd046a0caab4dde19675a668642c01b72f808ae990194a5c3f1719b28
                                                          • Instruction Fuzzy Hash: 8FD0C9302442048BD358CF9AE44876233A69B8832AF6480BCA50C8AB56D7B5DC97CA61
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2cd7bbf39e6eaf00039733efaf0e1cdaef9becfe4d872d21d53fa926e387dd95
                                                          • Instruction ID: bcadd148f0aa3335d23010677e3bac05e6b721e71207a7208e8e4ee679792925
                                                          • Opcode Fuzzy Hash: 2cd7bbf39e6eaf00039733efaf0e1cdaef9becfe4d872d21d53fa926e387dd95
                                                          • Instruction Fuzzy Hash: 7FD0C9B56489418FD714C62CC0585A23B61AB95226B2540EDE0594B93AC722D8028A41
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1affb080377a8064bc0e07cb4939f3bf99e37176504e9b8b1a5f287d9d487efa
                                                          • Instruction ID: 0c35a50977e006f8c6ac6508db92b1958534c5f12c76129fd9ede67b019161ee
                                                          • Opcode Fuzzy Hash: 1affb080377a8064bc0e07cb4939f3bf99e37176504e9b8b1a5f287d9d487efa
                                                          • Instruction Fuzzy Hash: D5B0123330D0114B4C08114D70360ACF716D7D013B220806BD10AC1200DA1198034540
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a3792955da1c5768ee9ea26ee7b3d7e0410836fd0ba5b7c62b98a80e75669ca5
                                                          • Instruction ID: 9399c8a42797ac35aaf328dd16b49736cd0b6baad5298064d688e0fe05ace9da
                                                          • Opcode Fuzzy Hash: a3792955da1c5768ee9ea26ee7b3d7e0410836fd0ba5b7c62b98a80e75669ca5
                                                          • Instruction Fuzzy Hash: 67C04C98A0A3C59ACF129761A9081D8BF70BF82110B0892CED88D5E463CA304255DB52
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d0f3f13554d3356b05e07c62536274b8005d3177b24123197cd892454268a6f3
                                                          • Instruction ID: 9ae61e61f7cc888159f2df4c49afed67f14a95fac4b1285ba7dda13269176af9
                                                          • Opcode Fuzzy Hash: d0f3f13554d3356b05e07c62536274b8005d3177b24123197cd892454268a6f3
                                                          • Instruction Fuzzy Hash: C7A0223000832C8BC20033B0300C888330C8080800380C028E00EC30088F32F02000C0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ab692b53cea4574b17a9f600e86c5d533e784072d28060d4ccc793485ac4ebfa
                                                          • Instruction ID: ce5fbb07921573ee2725cff07ed4ccdd4d230447d5a724ced5183016bdedcc3b
                                                          • Opcode Fuzzy Hash: ab692b53cea4574b17a9f600e86c5d533e784072d28060d4ccc793485ac4ebfa
                                                          • Instruction Fuzzy Hash: 39A0223080832C8FCA0032B8300C808B30C8080800380C028F00CC300ACF32F03000C0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e0a44c92f86c2ca8139b3c1d999e24ad7074b2e700ec115fd94d0af828434431
                                                          • Instruction ID: 4f8c01321da4b331e9b3b21799d3c6b0f3b8ae2c75c1ce0aa81845aa90ac1cd8
                                                          • Opcode Fuzzy Hash: e0a44c92f86c2ca8139b3c1d999e24ad7074b2e700ec115fd94d0af828434431
                                                          • Instruction Fuzzy Hash: 81A0223000832C8BC20032B8320C8A8332C8080800380C028E00CC300C8F32F03000C0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1654eac508b3c7a491726dfe4a0add7ded906da21b091056812b4a889ae8b516
                                                          • Instruction ID: f7ca0a67ddce4f9801866ea7fa33e304313c0152fb540a56bc3b9559fa18f5c1
                                                          • Opcode Fuzzy Hash: 1654eac508b3c7a491726dfe4a0add7ded906da21b091056812b4a889ae8b516
                                                          • Instruction Fuzzy Hash: B9A0223000832C8BC30032B8300C828332CA080A00380C028E00CC300C8F32F03000C8
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c70605583a8c23e8eca95ff1d0ffea37f55544d17c60190202fefaf1008aa768
                                                          • Instruction ID: e1873c9c08d6a51f8b37cdb4017ecddede5b702094cb361cab4701adda4578b8
                                                          • Opcode Fuzzy Hash: c70605583a8c23e8eca95ff1d0ffea37f55544d17c60190202fefaf1008aa768
                                                          • Instruction Fuzzy Hash: B5B0123190504DCF8708CA40E80D0BCBB32D781102B0001C8D80B35080EA150C208780
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: eea9bb2af35d57c6a70f6e9e35c25184a47752d0de3e1fd4abdef2c74bd2a8fb
                                                          • Instruction ID: 7947a7bc17915e0f0c48c689d645b84c86726234dad3c3e3fb362ddbb646a909
                                                          • Opcode Fuzzy Hash: eea9bb2af35d57c6a70f6e9e35c25184a47752d0de3e1fd4abdef2c74bd2a8fb
                                                          • Instruction Fuzzy Hash: 3AA0223080832C8BC30032B0300C888B30C8080822B80C028E80CC30088F32F03000C0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 905dabf56262223e91fb92bd6dfc62ee3ce9a12b8d6c06797e426cd54fb2b529
                                                          • Instruction ID: 8a3046ec5a79b71c5c2274c4ccfc9f6e3584a0c6aa4b23f2d0d8b31a74635f15
                                                          • Opcode Fuzzy Hash: 905dabf56262223e91fb92bd6dfc62ee3ce9a12b8d6c06797e426cd54fb2b529
                                                          • Instruction Fuzzy Hash: B5A0223000832C8BC20032B8300C828B32C8080800380C028E00CC300E8F32F03000C0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3933450815e126ea5d7b23d12ea0d3fe944ce6f3dbeb73f418fc19ce88f2c9eb
                                                          • Instruction ID: df80673023f4a4c94e088ac6a2f44405047901a2befa37520d6bfc315ae74d77
                                                          • Opcode Fuzzy Hash: 3933450815e126ea5d7b23d12ea0d3fe944ce6f3dbeb73f418fc19ce88f2c9eb
                                                          • Instruction Fuzzy Hash: B1A0223000832C8BC20032B0380C88E338C8080A02380C0A8E20EC30088F32F02000C0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b3ebd12c1de13544714775536c0515da2f8abb07c3516df15eee0296a8273d92
                                                          • Instruction ID: 92f9eff1534bc96a1d26d4319716802966d2b8ffcb1b3bf1563f40cf9c27f1b5
                                                          • Opcode Fuzzy Hash: b3ebd12c1de13544714775536c0515da2f8abb07c3516df15eee0296a8273d92
                                                          • Instruction Fuzzy Hash: 5AA0223080832C8FCB0032B0300C888330C8080823380C028F80CC3008CF32F02000C0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: df5ae43d96304be020bf7a0d68824e6036a60eda0f0798f640ed0b05f1314a64
                                                          • Instruction ID: 50c0e5afe83ff8c1296b69f0313f99a987e0b64b4951ac0c3aa19e41c28152ae
                                                          • Opcode Fuzzy Hash: df5ae43d96304be020bf7a0d68824e6036a60eda0f0798f640ed0b05f1314a64
                                                          • Instruction Fuzzy Hash: D3A0223080832C8FCA0032B0300C8883B0C8880800380C028F00CCB008CF32F02000C0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3d8b31ab4355da8a9ac7033be4cb70a2a1bc0b8cc6037fb05f2bd9c81187f0b6
                                                          • Instruction ID: 3883dacfb2685d5b912ea07b48244d799dd2fd30e3e014cfb0dfef9d2c86a13d
                                                          • Opcode Fuzzy Hash: 3d8b31ab4355da8a9ac7033be4cb70a2a1bc0b8cc6037fb05f2bd9c81187f0b6
                                                          • Instruction Fuzzy Hash: D2A0223080030C8BC30032B0300C888338CA080882380C028F00E8380A8F32F02000C2
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2741393796.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8e70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d498ed79b2e73a45887d56579d14ad63cc6632fe9bb9e6c86605fde7a98161b0
                                                          • Instruction ID: 011393064a72ce786dfc3adf1d73dc33096405e2ab69c267e67222cfbc4b23eb
                                                          • Opcode Fuzzy Hash: d498ed79b2e73a45887d56579d14ad63cc6632fe9bb9e6c86605fde7a98161b0
                                                          • Instruction Fuzzy Hash: 01A0223080832C8FCB0032B0300C808330CA080A003C0C028F00CC3008CF32F02080C8
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c7ecd5182ead822f14c1a582006564841c29b658f0840a6dc056283f01503f37
                                                          • Instruction ID: 8cc1e9e2a6e5240575a21d4e27e7dd5bf7201a75cc5a212e5a04e8dd44666767
                                                          • Opcode Fuzzy Hash: c7ecd5182ead822f14c1a582006564841c29b658f0840a6dc056283f01503f37
                                                          • Instruction Fuzzy Hash: 28A0223000830C8BC28032B0300C88CB30E8080C2E380C028E00E830088F32E00080E0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2735784977.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8bc0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 78236b1e2153399a0d998ea974c0c6d8d15713262230ed5ea2fd1599c3defee3
                                                          • Instruction ID: fba838f8bfc28a6f016f6a055525633fbea8b6264e71c58dcc2ad3bb026d5fac
                                                          • Opcode Fuzzy Hash: 78236b1e2153399a0d998ea974c0c6d8d15713262230ed5ea2fd1599c3defee3
                                                          • Instruction Fuzzy Hash: 4CA0223088030C8BC30032B0300C80C330EA08080CB80C028E00E830088F32E00000E8
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2742181174.0000000008EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_8eb0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: de31cf293c3f488c5006e5a28de69a3711588c0e475660a6d6a2aab9a3e2e0bc
                                                          • Instruction ID: c5a8e9b3abcb819bcef83db5192c50d34c066e4beebc4ffd92571138f304f8a7
                                                          • Opcode Fuzzy Hash: de31cf293c3f488c5006e5a28de69a3711588c0e475660a6d6a2aab9a3e2e0bc
                                                          • Instruction Fuzzy Hash: