Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BootstrapperV1.16.exe

Overview

General Information

Sample name:BootstrapperV1.16.exe
Analysis ID:1584550
MD5:835c37f624f71f8b24e75e261cd3c128
SHA1:aa90cec899e869cc185d55b6529c39ef7d6eae73
SHA256:46f77ac2874e2a8a9b48a031360e269d132587c995ab320c619bce2bd324774e
Tags:exexwormuser-aachum
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • BootstrapperV1.16.exe (PID: 7536 cmdline: "C:\Users\user\Desktop\BootstrapperV1.16.exe" MD5: 835C37F624F71F8B24E75E261CD3C128)
    • powershell.exe (PID: 7656 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\BootstrapperV1.16.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7884 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BootstrapperV1.16.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8160 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\RuntimeBroker.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7200 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • RuntimeBroker.exe (PID: 5800 cmdline: "C:\Users\user\AppData\Roaming\RuntimeBroker.exe" MD5: 835C37F624F71F8B24E75E261CD3C128)
  • RuntimeBroker.exe (PID: 8108 cmdline: "C:\Users\user\AppData\Roaming\RuntimeBroker.exe" MD5: 835C37F624F71F8B24E75E261CD3C128)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["127.0.0.1", "24.ip.gl.ply.gg"], "Port": 61472, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
BootstrapperV1.16.exeJoeSecurity_XWormYara detected XWormJoe Security
    BootstrapperV1.16.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      BootstrapperV1.16.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
      • 0xdff0:$str01: $VB$Local_Port
      • 0xe01d:$str02: $VB$Local_Host
      • 0xbfae:$str03: get_Jpeg
      • 0xc82e:$str04: get_ServicePack
      • 0xf778:$str05: Select * from AntivirusProduct
      • 0x100dd:$str06: PCRestart
      • 0x100f1:$str07: shutdown.exe /f /r /t 0
      • 0x101a3:$str08: StopReport
      • 0x10179:$str09: StopDDos
      • 0x1027b:$str10: sendPlugin
      • 0x10409:$str12: -ExecutionPolicy Bypass -File "
      • 0x10da2:$str13: Content-length: 5235
      BootstrapperV1.16.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xf2d0:$s6: VirtualBox
      • 0xf22e:$s8: Win32_ComputerSystem
      • 0x122cc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x12369:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x1247e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x10cbd:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\RuntimeBroker.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\RuntimeBroker.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\RuntimeBroker.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0xdff0:$str01: $VB$Local_Port
          • 0xe01d:$str02: $VB$Local_Host
          • 0xbfae:$str03: get_Jpeg
          • 0xc82e:$str04: get_ServicePack
          • 0xf778:$str05: Select * from AntivirusProduct
          • 0x100dd:$str06: PCRestart
          • 0x100f1:$str07: shutdown.exe /f /r /t 0
          • 0x101a3:$str08: StopReport
          • 0x10179:$str09: StopDDos
          • 0x1027b:$str10: sendPlugin
          • 0x10409:$str12: -ExecutionPolicy Bypass -File "
          • 0x10da2:$str13: Content-length: 5235
          C:\Users\user\AppData\Roaming\RuntimeBroker.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xf2d0:$s6: VirtualBox
          • 0xf22e:$s8: Win32_ComputerSystem
          • 0x122cc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x12369:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x1247e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x10cbd:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.2961557097.0000000012A22000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000002.2961557097.0000000012A22000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xed48:$s6: VirtualBox
            • 0xeca6:$s8: Win32_ComputerSystem
            • 0x11d44:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x11de1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x11ef6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x10735:$cnc4: POST / HTTP/1.1
            00000000.00000000.1675665365.0000000000882000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000000.1675665365.0000000000882000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0xf0d0:$s6: VirtualBox
              • 0xf02e:$s8: Win32_ComputerSystem
              • 0x120cc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x12169:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x1227e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x10abd:$cnc4: POST / HTTP/1.1
              00000000.00000002.2931914531.0000000002A11000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.BootstrapperV1.16.exe.880000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.0.BootstrapperV1.16.exe.880000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.0.BootstrapperV1.16.exe.880000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
                    • 0xdff0:$str01: $VB$Local_Port
                    • 0xe01d:$str02: $VB$Local_Host
                    • 0xbfae:$str03: get_Jpeg
                    • 0xc82e:$str04: get_ServicePack
                    • 0xf778:$str05: Select * from AntivirusProduct
                    • 0x100dd:$str06: PCRestart
                    • 0x100f1:$str07: shutdown.exe /f /r /t 0
                    • 0x101a3:$str08: StopReport
                    • 0x10179:$str09: StopDDos
                    • 0x1027b:$str10: sendPlugin
                    • 0x10409:$str12: -ExecutionPolicy Bypass -File "
                    • 0x10da2:$str13: Content-length: 5235
                    0.0.BootstrapperV1.16.exe.880000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xf2d0:$s6: VirtualBox
                    • 0xf22e:$s8: Win32_ComputerSystem
                    • 0x122cc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x12369:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x1247e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0x10cbd:$cnc4: POST / HTTP/1.1

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Files With System Process Name In Unsuspected Locations
                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\BootstrapperV1.16.exe, ProcessId: 7536, TargetFilename: C:\Users\user\AppData\Roaming\RuntimeBroker.exe
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\BootstrapperV1.16.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\BootstrapperV1.16.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BootstrapperV1.16.exe", ParentImage: C:\Users\user\Desktop\BootstrapperV1.16.exe, ParentProcessId: 7536, ParentProcessName: BootstrapperV1.16.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\BootstrapperV1.16.exe', ProcessId: 7656, ProcessName: powershell.exe
                    Sigma detected: System File Execution Location Anomaly
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\RuntimeBroker.exe" , CommandLine: "C:\Users\user\AppData\Roaming\RuntimeBroker.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, NewProcessName: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, OriginalFileName: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\AppData\Roaming\RuntimeBroker.exe" , ProcessId: 5800, ProcessName: RuntimeBroker.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\BootstrapperV1.16.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\BootstrapperV1.16.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BootstrapperV1.16.exe", ParentImage: C:\Users\user\Desktop\BootstrapperV1.16.exe, ParentProcessId: 7536, ParentProcessName: BootstrapperV1.16.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\BootstrapperV1.16.exe', ProcessId: 7656, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\BootstrapperV1.16.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\BootstrapperV1.16.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BootstrapperV1.16.exe", ParentImage: C:\Users\user\Desktop\BootstrapperV1.16.exe, ParentProcessId: 7536, ParentProcessName: BootstrapperV1.16.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\BootstrapperV1.16.exe', ProcessId: 7656, ProcessName: powershell.exe
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\BootstrapperV1.16.exe, ProcessId: 7536, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\BootstrapperV1.16.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\BootstrapperV1.16.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BootstrapperV1.16.exe", ParentImage: C:\Users\user\Desktop\BootstrapperV1.16.exe, ParentProcessId: 7536, ParentProcessName: BootstrapperV1.16.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\BootstrapperV1.16.exe', ProcessId: 7656, ProcessName: powershell.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-05T20:33:02.801620+010028528701Malware Command and Control Activity Detected147.185.221.2461472192.168.2.449738TCP
                    2025-01-05T20:33:06.186117+010028528701Malware Command and Control Activity Detected147.185.221.2461472192.168.2.449738TCP
                    2025-01-05T20:33:19.032487+010028528701Malware Command and Control Activity Detected147.185.221.2461472192.168.2.449738TCP
                    2025-01-05T20:33:31.652308+010028528701Malware Command and Control Activity Detected147.185.221.2461472192.168.2.449738TCP
                    2025-01-05T20:33:32.799137+010028528701Malware Command and Control Activity Detected147.185.221.2461472192.168.2.449738TCP
                    2025-01-05T20:33:44.390005+010028528701Malware Command and Control Activity Detected147.185.221.2461472192.168.2.449738TCP
                    2025-01-05T20:33:57.121604+010028528701Malware Command and Control Activity Detected147.185.221.2461472192.168.2.449738TCP
                    2025-01-05T20:33:58.731002+010028528701Malware Command and Control Activity Detected147.185.221.2461472192.168.2.449738TCP
                    2025-01-05T20:34:00.652449+010028528701Malware Command and Control Activity Detected147.185.221.2461472192.168.2.449738TCP
                    2025-01-05T20:34:02.813450+010028528701Malware Command and Control Activity Detected147.185.221.2461472192.168.2.449738TCP
                    2025-01-05T20:34:07.226278+010028528701Malware Command and Control Activity Detected147.185.221.2461472192.168.2.449738TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-05T20:33:06.187523+010028529231Malware Command and Control Activity Detected192.168.2.449738147.185.221.2461472TCP
                    2025-01-05T20:33:19.035723+010028529231Malware Command and Control Activity Detected192.168.2.449738147.185.221.2461472TCP
                    2025-01-05T20:33:31.654408+010028529231Malware Command and Control Activity Detected192.168.2.449738147.185.221.2461472TCP
                    2025-01-05T20:33:44.392189+010028529231Malware Command and Control Activity Detected192.168.2.449738147.185.221.2461472TCP
                    2025-01-05T20:33:57.123379+010028529231Malware Command and Control Activity Detected192.168.2.449738147.185.221.2461472TCP
                    2025-01-05T20:33:58.732649+010028529231Malware Command and Control Activity Detected192.168.2.449738147.185.221.2461472TCP
                    2025-01-05T20:34:00.657534+010028529231Malware Command and Control Activity Detected192.168.2.449738147.185.221.2461472TCP
                    2025-01-05T20:34:07.226938+010028529231Malware Command and Control Activity Detected192.168.2.449738147.185.221.2461472TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-05T20:33:02.801620+010028528741Malware Command and Control Activity Detected147.185.221.2461472192.168.2.449738TCP
                    2025-01-05T20:33:32.799137+010028528741Malware Command and Control Activity Detected147.185.221.2461472192.168.2.449738TCP
                    2025-01-05T20:34:02.813450+010028528741Malware Command and Control Activity Detected147.185.221.2461472192.168.2.449738TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-05T20:33:18.591573+010028559241Malware Command and Control Activity Detected192.168.2.449738147.185.221.2461472TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: BootstrapperV1.16.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Found malware configuration
                    Source: BootstrapperV1.16.exeMalware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1", "24.ip.gl.ply.gg"], "Port": 61472, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeReversingLabs: Detection: 76%
                    Multi AV Scanner detection for submitted file
                    Source: BootstrapperV1.16.exeReversingLabs: Detection: 76%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: BootstrapperV1.16.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: BootstrapperV1.16.exeString decryptor: 127.0.0.1,24.ip.gl.ply.gg
                    Source: BootstrapperV1.16.exeString decryptor: 61472
                    Source: BootstrapperV1.16.exeString decryptor: <123456789>
                    Source: BootstrapperV1.16.exeString decryptor: <Xwormmm>
                    Source: BootstrapperV1.16.exeString decryptor:
                    Source: BootstrapperV1.16.exeString decryptor: USB.exe
                    Source: BootstrapperV1.16.exeString decryptor: %AppData%
                    Source: BootstrapperV1.16.exeString decryptor: RuntimeBroker.exe
                    Source: BootstrapperV1.16.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: BootstrapperV1.16.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 147.185.221.24:61472 -> 192.168.2.4:49738
                    Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 147.185.221.24:61472 -> 192.168.2.4:49738
                    Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49738 -> 147.185.221.24:61472
                    Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49738 -> 147.185.221.24:61472
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 127.0.0.1
                    Source: Malware configuration extractorURLs: 24.ip.gl.ply.gg
                    Connects to many ports of the same IP (likely port scanning)
                    Source: global trafficTCP traffic: 147.185.221.24 ports 61472,1,2,4,6,7
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: BootstrapperV1.16.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.BootstrapperV1.16.exe.880000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, type: DROPPED
                    Source: global trafficTCP traffic: 192.168.2.4:49738 -> 147.185.221.24:61472
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 147.185.221.24 147.185.221.24
                    Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: 24.ip.gl.ply.gg
                    Source: powershell.exe, 00000001.00000002.1775580007.000001BFF8230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                    Source: powershell.exe, 00000001.00000002.1775580007.000001BFF8230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro/pki/crl/productCerAut_2010-06-2
                    Source: BootstrapperV1.16.exe, RuntimeBroker.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: powershell.exe, 00000001.00000002.1766388571.000001BF90076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1850926111.000001FDB2066000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1989841862.000001DA38ED5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2177090574.000001CEE3013000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 0000000B.00000002.2047132449.000001CED31CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000001.00000002.1751727829.000001BF80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800352818.000001FDA2218000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1905966006.000001DA2908A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2047132449.000001CED31CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: BootstrapperV1.16.exe, 00000000.00000002.2931914531.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1751727829.000001BF80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800352818.000001FDA1FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1905966006.000001DA28E61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2047132449.000001CED2FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000001.00000002.1751727829.000001BF80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800352818.000001FDA2218000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1905966006.000001DA2908A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2047132449.000001CED31CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 0000000B.00000002.2047132449.000001CED31CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 0000000B.00000002.2208188317.000001CEEB7DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wwwrosocrostp:/ime20210(1).c
                    Source: powershell.exe, 00000001.00000002.1751727829.000001BF80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800352818.000001FDA1FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1905966006.000001DA28E61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2047132449.000001CED2FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 0000000B.00000002.2177090574.000001CEE3013000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000000B.00000002.2177090574.000001CEE3013000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000000B.00000002.2177090574.000001CEE3013000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 0000000B.00000002.2047132449.000001CED31CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000001.00000002.1766388571.000001BF90076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1850926111.000001FDB2066000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1989841862.000001DA38ED5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2177090574.000001CEE3013000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: BootstrapperV1.16.exe, type: SAMPLEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: BootstrapperV1.16.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.0.BootstrapperV1.16.exe.880000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: 0.0.BootstrapperV1.16.exe.880000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000002.2961557097.0000000012A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000000.1675665365.0000000000882000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeCode function: 0_2_00007FFD9B8816E90_2_00007FFD9B8816E9
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeCode function: 0_2_00007FFD9B885F310_2_00007FFD9B885F31
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeCode function: 0_2_00007FFD9B8821810_2_00007FFD9B882181
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeCode function: 0_2_00007FFD9B886CE10_2_00007FFD9B886CE1
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeCode function: 0_2_00007FFD9B88A7380_2_00007FFD9B88A738
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeCode function: 0_2_00007FFD9B881EF90_2_00007FFD9B881EF9
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeCode function: 0_2_00007FFD9B8810FA0_2_00007FFD9B8810FA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B9530E97_2_00007FFD9B9530E9
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeCode function: 13_2_00007FFD9B8916E913_2_00007FFD9B8916E9
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeCode function: 13_2_00007FFD9B890E5E13_2_00007FFD9B890E5E
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeCode function: 13_2_00007FFD9B891EF913_2_00007FFD9B891EF9
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeCode function: 14_2_00007FFD9B8916E914_2_00007FFD9B8916E9
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeCode function: 14_2_00007FFD9B890E5E14_2_00007FFD9B890E5E
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeCode function: 14_2_00007FFD9B891EF914_2_00007FFD9B891EF9
                    Source: BootstrapperV1.16.exe, 00000000.00000002.2964271180.000000001B81C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowe vs BootstrapperV1.16.exe
                    Source: BootstrapperV1.16.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: BootstrapperV1.16.exe, type: SAMPLEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: BootstrapperV1.16.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.0.BootstrapperV1.16.exe.880000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: 0.0.BootstrapperV1.16.exe.880000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000002.2961557097.0000000012A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000000.1675665365.0000000000882000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: BootstrapperV1.16.exe, 1GX1cj7BjvLmt39ChXJM1BKc2FZbcYTQ7.csCryptographic APIs: 'TransformFinalBlock'
                    Source: BootstrapperV1.16.exe, 1GX1cj7BjvLmt39ChXJM1BKc2FZbcYTQ7.csCryptographic APIs: 'TransformFinalBlock'
                    Source: BootstrapperV1.16.exe, m0B7yeshFCUMyPXttOigEUQoowydIPEz6.csCryptographic APIs: 'TransformFinalBlock'
                    Source: RuntimeBroker.exe.0.dr, 1GX1cj7BjvLmt39ChXJM1BKc2FZbcYTQ7.csCryptographic APIs: 'TransformFinalBlock'
                    Source: RuntimeBroker.exe.0.dr, 1GX1cj7BjvLmt39ChXJM1BKc2FZbcYTQ7.csCryptographic APIs: 'TransformFinalBlock'
                    Source: RuntimeBroker.exe.0.dr, m0B7yeshFCUMyPXttOigEUQoowydIPEz6.csCryptographic APIs: 'TransformFinalBlock'
                    Source: BootstrapperV1.16.exe, 5xu4vnHJXK0y0bM9IQa5mFpLbw0VwznJcJ3QZlRQyquzpat1.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: BootstrapperV1.16.exe, 5xu4vnHJXK0y0bM9IQa5mFpLbw0VwznJcJ3QZlRQyquzpat1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: RuntimeBroker.exe.0.dr, 5xu4vnHJXK0y0bM9IQa5mFpLbw0VwznJcJ3QZlRQyquzpat1.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: RuntimeBroker.exe.0.dr, 5xu4vnHJXK0y0bM9IQa5mFpLbw0VwznJcJ3QZlRQyquzpat1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@15/21@2/2
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeFile created: C:\Users\user\AppData\Roaming\RuntimeBroker.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2640:120:WilError_03
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeMutant created: \Sessions\1\BaseNamedObjects\89ezHOZHqHY3l8mx
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                    Source: BootstrapperV1.16.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: BootstrapperV1.16.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: BootstrapperV1.16.exeReversingLabs: Detection: 76%
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeFile read: C:\Users\user\Desktop\BootstrapperV1.16.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\BootstrapperV1.16.exe "C:\Users\user\Desktop\BootstrapperV1.16.exe"
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\BootstrapperV1.16.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BootstrapperV1.16.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\RuntimeBroker.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\RuntimeBroker.exe "C:\Users\user\AppData\Roaming\RuntimeBroker.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\RuntimeBroker.exe "C:\Users\user\AppData\Roaming\RuntimeBroker.exe"
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\BootstrapperV1.16.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BootstrapperV1.16.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\RuntimeBroker.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: RuntimeBroker.lnk.0.drLNK file: ..\..\..\..\..\RuntimeBroker.exe
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: BootstrapperV1.16.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: BootstrapperV1.16.exeStatic file information: File size 1321984 > 1048576
                    Source: BootstrapperV1.16.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: BootstrapperV1.16.exe, lTbfnmh5SWlYUY1dETXUGxAExIiZqthTSyx7IL2KjS2rzw47.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{tojobrxk4BWvY1lQ6HKL4OGnCszWyiksqWzMlY14X52WOx8y.yLYL5fa5aRGvxpnm4Xtzl4o702mSWzFo7Rvt4y9g13R3JRbz,tojobrxk4BWvY1lQ6HKL4OGnCszWyiksqWzMlY14X52WOx8y.H88hyXiXM0IiXfV99bx2dBeLhNX2nyrkZWMwMPnkx824FDRC,tojobrxk4BWvY1lQ6HKL4OGnCszWyiksqWzMlY14X52WOx8y.eVrUuHiv2qy9DtLjhC3EHjzoOsIbLeWzWVDYNuGtk0FRjV5M,tojobrxk4BWvY1lQ6HKL4OGnCszWyiksqWzMlY14X52WOx8y._7tODzNpGAaVHPss0X4sCF3CaOhyp07ZYMFtv1GyJEB6pqmqV,_1GX1cj7BjvLmt39ChXJM1BKc2FZbcYTQ7._5rDLiQQMtQcdE2eY9QUtN6o3vWvNYzMDo()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: BootstrapperV1.16.exe, lTbfnmh5SWlYUY1dETXUGxAExIiZqthTSyx7IL2KjS2rzw47.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_6tpbOOBHLrS0lpE0za3VHW6C71TgOWPK8G9hly2u4DixfmLl[2],_1GX1cj7BjvLmt39ChXJM1BKc2FZbcYTQ7._9BMenrwfxHOG85EFtloNQRU8UBSSsXkVM(Convert.FromBase64String(_6tpbOOBHLrS0lpE0za3VHW6C71TgOWPK8G9hly2u4DixfmLl[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: BootstrapperV1.16.exe, lTbfnmh5SWlYUY1dETXUGxAExIiZqthTSyx7IL2KjS2rzw47.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { _6tpbOOBHLrS0lpE0za3VHW6C71TgOWPK8G9hly2u4DixfmLl[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: RuntimeBroker.exe.0.dr, lTbfnmh5SWlYUY1dETXUGxAExIiZqthTSyx7IL2KjS2rzw47.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{tojobrxk4BWvY1lQ6HKL4OGnCszWyiksqWzMlY14X52WOx8y.yLYL5fa5aRGvxpnm4Xtzl4o702mSWzFo7Rvt4y9g13R3JRbz,tojobrxk4BWvY1lQ6HKL4OGnCszWyiksqWzMlY14X52WOx8y.H88hyXiXM0IiXfV99bx2dBeLhNX2nyrkZWMwMPnkx824FDRC,tojobrxk4BWvY1lQ6HKL4OGnCszWyiksqWzMlY14X52WOx8y.eVrUuHiv2qy9DtLjhC3EHjzoOsIbLeWzWVDYNuGtk0FRjV5M,tojobrxk4BWvY1lQ6HKL4OGnCszWyiksqWzMlY14X52WOx8y._7tODzNpGAaVHPss0X4sCF3CaOhyp07ZYMFtv1GyJEB6pqmqV,_1GX1cj7BjvLmt39ChXJM1BKc2FZbcYTQ7._5rDLiQQMtQcdE2eY9QUtN6o3vWvNYzMDo()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: RuntimeBroker.exe.0.dr, lTbfnmh5SWlYUY1dETXUGxAExIiZqthTSyx7IL2KjS2rzw47.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_6tpbOOBHLrS0lpE0za3VHW6C71TgOWPK8G9hly2u4DixfmLl[2],_1GX1cj7BjvLmt39ChXJM1BKc2FZbcYTQ7._9BMenrwfxHOG85EFtloNQRU8UBSSsXkVM(Convert.FromBase64String(_6tpbOOBHLrS0lpE0za3VHW6C71TgOWPK8G9hly2u4DixfmLl[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: RuntimeBroker.exe.0.dr, lTbfnmh5SWlYUY1dETXUGxAExIiZqthTSyx7IL2KjS2rzw47.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { _6tpbOOBHLrS0lpE0za3VHW6C71TgOWPK8G9hly2u4DixfmLl[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: BootstrapperV1.16.exe, lTbfnmh5SWlYUY1dETXUGxAExIiZqthTSyx7IL2KjS2rzw47.cs.Net Code: jAIB97CXc5efIhesD3zic9mdC6vVWZusfch86XdC6SXPc3LG System.AppDomain.Load(byte[])
                    Source: BootstrapperV1.16.exe, lTbfnmh5SWlYUY1dETXUGxAExIiZqthTSyx7IL2KjS2rzw47.cs.Net Code: M4oJZccZOz6UdofReddRxbLKnxBvv85z0PXWlRIPLXOk5C4R System.AppDomain.Load(byte[])
                    Source: BootstrapperV1.16.exe, lTbfnmh5SWlYUY1dETXUGxAExIiZqthTSyx7IL2KjS2rzw47.cs.Net Code: M4oJZccZOz6UdofReddRxbLKnxBvv85z0PXWlRIPLXOk5C4R
                    Source: RuntimeBroker.exe.0.dr, lTbfnmh5SWlYUY1dETXUGxAExIiZqthTSyx7IL2KjS2rzw47.cs.Net Code: jAIB97CXc5efIhesD3zic9mdC6vVWZusfch86XdC6SXPc3LG System.AppDomain.Load(byte[])
                    Source: RuntimeBroker.exe.0.dr, lTbfnmh5SWlYUY1dETXUGxAExIiZqthTSyx7IL2KjS2rzw47.cs.Net Code: M4oJZccZOz6UdofReddRxbLKnxBvv85z0PXWlRIPLXOk5C4R System.AppDomain.Load(byte[])
                    Source: RuntimeBroker.exe.0.dr, lTbfnmh5SWlYUY1dETXUGxAExIiZqthTSyx7IL2KjS2rzw47.cs.Net Code: M4oJZccZOz6UdofReddRxbLKnxBvv85z0PXWlRIPLXOk5C4R
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeCode function: 0_2_00007FFD9B88814D push ebx; ret 0_2_00007FFD9B88816A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B76D2A5 pushad ; iretd 1_2_00007FFD9B76D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B952316 push 8B485F94h; iretd 1_2_00007FFD9B95231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B77D2A5 pushad ; iretd 4_2_00007FFD9B77D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B895E57 push esp; retf 4_2_00007FFD9B895E58
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B962316 push 8B485F93h; iretd 4_2_00007FFD9B96231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B76D2A5 pushad ; iretd 7_2_00007FFD9B76D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B952316 push 8B485F94h; iretd 7_2_00007FFD9B95231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B78D2A5 pushad ; iretd 11_2_00007FFD9B78D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B972316 push 8B485F92h; iretd 11_2_00007FFD9B97231B
                    Source: BootstrapperV1.16.exe, tojobrxk4BWvY1lQ6HKL4OGnCszWyiksqWzMlY14X52WOx8y.csHigh entropy of concatenated method names: 'lZF1HpuA5wrgn9FPo3WX5kk6SYiE9qovH', 'ljKcKRE8Z9gPVY70nHbHPEfJWumWeXMCQ', 'ofJmDvJo7OotK35gDFgMwgTGKXqO7prpf', 'V5OHeVFmHPb3gErRhxFoHQd92cJcLbW3z'
                    Source: BootstrapperV1.16.exe, bJCrM1wCcp7U35tvaY5PFjxpqHTk9epcG.csHigh entropy of concatenated method names: 'uTdz6YCWNMUpxviko2HZseFKh4ygfAUt2', 'hRgsYvf12VAevSAHiM1YTdR8UpZ6WCz7d', 'VbEr8LXcuADGNg5TDoEykdKnSo8vq60u6', 'k4o3dYlgprKWJeftywuUgkyqLTeGlzj2hUPwkKLOc09VeQh6RKQafpZ4juwinZePeHbAaB2IyNitpN84xyY', 'EC06bDErB7POL9kqDBp9xfJYwmhZcS2GvfRzM9YP6ttUpwHzYwRJoV7mElQgwxfHjnt2Js8km2ufmRqtpAC', 'KvUT7Iuxjeft0VyDhAZEOklFZ2XuMbMfD7ISvVhP7knsiUa9Fn1bvanAVQkMsAFU9BOzYMI2OGHw2co1XA2', '_2k3rpA70S0hNJ0aT2BQiR67lEA4CMsUn45StUZeLj1sFjWhewekbO0gnURzHHgcrVqZqP6wKIM0mcVgBDt0', 'zW5LvmhXHM2tjPV2D6hZQIq02yVDH0DnZr7EDz0gQ30c7bKCIpeUkf1sBPLIeEFKyw65IMZCxTYZ2wHdl3z', '_0OFRWCIeE1DPp59EzsfIgjQ4kMk85gHihlpxGjrpwicuyySOoWweDGNwKpOZjgI1THqlDXWmY275AErIfcq', 'BEbULDkUUk7z2MTQ3hw77EcaGKecvztxI27yvBlFjlZiYtBHiABLX38DWWjOruco6Hg3OetxgAdEyli2ys4'
                    Source: BootstrapperV1.16.exe, aV9OrMIX4hKGn3f8bOYpd3J0vIGYVpQ3bKglvibRWDudQuga.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Uq2AYxGaapBCUCLaiC2t9NXhXE7l1pb8r', 'gC9xnDZT5Wcmq0wzwUjIwrL6ZikEClH4d', 'KZ7FNlklhpSv4Sw5zldXgQpXHBEky6OlS', '_5KwQPWeVtfZrVjTztRMRUpvCQWIRcNuDI'
                    Source: BootstrapperV1.16.exe, lTbfnmh5SWlYUY1dETXUGxAExIiZqthTSyx7IL2KjS2rzw47.csHigh entropy of concatenated method names: 'xQhpPupKQWeDnYp2qn6jA7uDsTS0t9MlY5cWemNqXJool81e', 'jAIB97CXc5efIhesD3zic9mdC6vVWZusfch86XdC6SXPc3LG', 'LMH0KufrYu4GlXxZj5fBX0wofuuPi8daoMxCfYaeQ496q9a9', 'y3yzieuwvIFjcifNci2tq9RRzpS3oEUN6SSdlsMtaNzFceK8', 'L7CzxcJDCVkWnXftpWMoEPNUN9Gz2YduCpJo3em5FEgxiKBD', 'UzTaa9Oju8EeJEIIiuRpWZolgjZ5umQyIduP0iluQfeVrGMG', 'EcWH9yfZKqMA5hSkk98xTf4YDQ5WlZT1Fls7RzqVme2pPefZ', '_3UNFuKnCgiyPkw4GgBEzwFcOjZCW6ov0gm7sBzv7o82ZYPGg', 'hhYqoV76lVpw4RJKmYqfhdFmdKiXFv3ktJ8JF5pbDQ2S3fXB', 'NyQVBJB2MRNW7coUfyB7EZNq9wd8qLsp6miFSBa7PVcVzMuW'
                    Source: BootstrapperV1.16.exe, QiAcIDVohP5zwGwovBrjE6G4PTDImC4HqrosnpIaj3XbsuQL.csHigh entropy of concatenated method names: 'T0pllQIz28sqJdEFA23gPStIEWHkAORVFTRDU4p5Le5peO7E', '_6i31SDhv0f4pUcUOszPTgxiFuEFHZG38zqm5Oe8rKFmV73Z2blwDInUMWqcOhXQlF8', 'So2j666Vg04MPHS5G3FZfGAoQTuEPr1YIdU6uIORc7jAPsCfXPwIHK1oVCIKEFRC1y', 'U9GjUHVlmkQCG3AesH00KLpZxRQ6Uj2XKe4VrHAKDcoZuptLrMG7WPjYZLvEmn3bOC', 'mxz3RruGpyNg89LL8uRu5aD63Cv4ibEPN6asGkyfoNXfva30YRThaY21xH8zAmHjFD'
                    Source: BootstrapperV1.16.exe, 1GX1cj7BjvLmt39ChXJM1BKc2FZbcYTQ7.csHigh entropy of concatenated method names: 'spnpOUau4peJma3rhooOprCCgcbRSO7q9', 'OpJS39gmPYPpQ7sBVEOCn6gCCIfWOfg05', '_4wr4q8AyHrWdfSVRdYZMEoPXNmMENaN6c', 'WylWUW2OMAGvQQCC53obVqf2WvVxlY1Ws', 'C6nJCNP31cuMHp9wCjzhGTHMcsDmEXChD', 'mP1mHekJN0qwYjMGGFVjqOswut6puG6uO', 'N2ZwEIP9Wd1YzukIY9dk8Y7z7fLzZsOMr', 'HieOl6EuxrVMe7yVi949N7Rnyo9M6ySgN', 'Q0yRKsae99Uy4qODIC1TnZipuS5Jje9Wx', 'Db4TqUwylMbgLKp0h41q7jpq6ZK8Sxvua'
                    Source: BootstrapperV1.16.exe, 5xu4vnHJXK0y0bM9IQa5mFpLbw0VwznJcJ3QZlRQyquzpat1.csHigh entropy of concatenated method names: 'Ke73JotnEnKgOFm4Xvv3MT8g8WMx46pgueIBF0S6qnb3E07j', 'Zv3rKSvajADN5oh8AGHP3vmrEvS3n4aLFKDnsaLPjSZ7ohxD', 'aMY9qif2DMoF8q82PoIMuD5nt6vyJgd1I4SCFUyGaRufPkaP', 'pBbq9hGAEBLPJQPFH6tmw6zmvqTDrfbiLG7hIle5dDrhZqbe', 'B5WS1JNCihDD2SysUQx3Sbl1Sm9h6B0yZ7mXOc1M0Pt1MXhc', 'rlvm9mIVCPIDc96aBP1Zbgsd3aXZlJCJgoXhzIDCbd3dLLUu', 'S4mlQWSedvbagjdXdZQLfp4jiGIIVRGch1kvxv9mXcvuH6NX', 'SjvkzwN5rB0MqLKS4NuZqacQZyxdBOsOdPTFY2arKxB5bZqL', '_4JplVjr9onVe9kKfCmJfPbM0fXQNFuxvt3kInVmwTQ1niTrR', 'jNAp1NImB1RgDhG4hZRAZ8zLIJVUZ5ykOuc4VJcwVjs6JF76'
                    Source: BootstrapperV1.16.exe, MYTWVw4O597K1pYdrCE3hYc0XPFlQTarTDXetwfWoSOpqcUA.csHigh entropy of concatenated method names: '_2QxD7AnkGKlPH1usShJHjt5ITNMVXPTlofM6Q2mQYLvidZE4', 'oFF88RaYgC7LHSr9EQo9pilB0pwBJJip1s0MFKxLwWXjFURH', 'qkKqLEK6mNYC8PVo9TYMG9iFYJnFDMz0ufWXHSZqbeU3F71U', 'kxAtV5XKV5OdfgNDLl36W3BI7HUumYBhp', 'liJQld3LCYQffK8vdWvzBgwmorE4zAuPI', '_7t1FdMNFaHYfd4ItnHNxnBq8tEeZ2Cgrw', 'pVNJnQy8z7i07v4IZkvdxbnugrBDTyLNm', 'cX31BiXScqoXo6cbhHueZfNGjsUVpagTs', 'GUW3gXxmrZBgTa4yktbV2poRLWj0w9yzV', 'YLwWzmBTCimMFqxogSkqzRFJ6DGhHJNxH'
                    Source: BootstrapperV1.16.exe, m0B7yeshFCUMyPXttOigEUQoowydIPEz6.csHigh entropy of concatenated method names: 'KLozAKgPeZk5GDIExjWvRNGIGXdMbwPA6', 'Te4iHBXG8J7jfC8wmwLz5HjV39hANbvcGzasjUJZpUoMmwRY91dPNbDksh1SSSuD7VLLVLJxSHCxS7qql33DP08ET2TsEpgkVj', 'sFaB5kY9OLgfG1GrpcHMU4LLYX5H7DECpKJjqznD5RS7ycem5SzU11a9oWO9kJnIdVMSCfZGbxcLIRdEbQzng0n8i0sxC71B3F', 'ACrV4DUXUw58vjHq5nHcBqMkgiEjVpsFeTsdGJ8A5JQYcbTB7l9a7bIkgTC3jDD3LcOdotYyJ6WRk8Hmb77SiUCRvoGZZojnYk', 'fZYDKiFIVt71CAAGSxgMStEhARfchVr14n5MPh9nEUI7FTgVNIVbNdhu0Uoc97IQCXxBn2JwCNF0NZtPV5bZCPadWzB5N3OdNR'
                    Source: BootstrapperV1.16.exe, yVec4rdYvhhaMJjthAfgC85YcrF49MXvW4SCGx77ESYyAXqi.csHigh entropy of concatenated method names: 'LGCrfBE3FIHieUqY92C532uWnk5Mt7fdDzdcCrXedA3qB54P', 'juZNEQ0UDvxnLYc5FKZ5mZJ8v3j8ZIj1PLNc65lKfkilFTaX', 'YgThxwzPJsGJRxlgjVbQqF6j34lZpqvEXY6sV6WotVlE21UI', 'ETNLT67ge7oP6C4fnNevVj98qRj3c7N0mESEAclRGG3nEQ05', 'MvdZxGiKIy45kiUj8kTYEivHjEgynrz9JpS72v4TEhi4a7BM', 'ZeaE5Xhg8wRHiCIc8lyMthl5TrMGgUYiciuIGKHdE5gUQQXf', 'MOOFCVvpL6j68yLHc4Bl8YUASxxKWRwkeXtTAH2nWEeLzLkd', 'g9YHuIltyjXr0kWKbGtx0BOiULjteX1YKKwVKZ0xVRWV3arn', 'T3SVxrSCiwVGeZL55hEpp1pmYr2xMubXpJaaytW82V3iH1dA', 'Dp4DSJ1pL4AouyteBJFLkRlrV6eRrC4bFzykvSsrvlNvlUxj'
                    Source: BootstrapperV1.16.exe, MHeryqZPQNY9ggNDrhVIGHd8aIjufJhUR.csHigh entropy of concatenated method names: 'p1PjDA23syi1mBwY5xsz4TIgRpTNNxSu3', '_6nBxaSUqSjH43HehUbaT9VFkegxHofEN2', '_0f8KAF1GU0ADxclHZX2isztdciOpUGo6u', '_3oza8d48Cs9R5VZM8z44uHzGRmJIJ5pvM', 'HxGu7kJFAiSslJhBQxVphsZCKlx5hhl3W630Psf6JrTFsGxDm8z20yyjN2aLoVoDqEzoNB7YNUjqDK2cBuKtQ1oEAuTZFDh0UJ', '_6gWmwFOMZRFxW34bDGJFUgYhNielL77eROJbRtPv2hiqpKbFI7mmrCpoz4nNFudHSIuGiN9KzfrBC2YUcoJrJYX7q6igRzXDzC', 'Sc60shMwg9mbSX8tk0qaz0UrxQ9MVf6YDLK9SRWHnGoqsS6ATkF9mmAOswiYNIRgFPGsGKhqeiMfDIXLUOa0H4YCB37zXZ1OHJ', 'oBHZ2jFAB0rrQvJeILxBx0lRIDId9cln9DdRIDULB5nDWNSm0oLMnozChd2fnF50nWocHztkBIxs47uKboKYl9z3kWqjuTpdeH', 'Q9DOjFesD77R5B1vwnh6lLmgbOpBNZiZDuuU21Wi1g3IQ8KxLsmpCvRHyQoCDsymjVmbacmC5yYVOcETtb0oPpse21Nnqvhg4H', '_3qrZ8FRXF9RFAsWMben9PUbbPcf4yznnvCS90nZMiIypxWcszn6UnfWvEFGUdr2Z9EL7h54p9quY4S8LOkIXqZpQiQRTgH8xSI'
                    Source: RuntimeBroker.exe.0.dr, tojobrxk4BWvY1lQ6HKL4OGnCszWyiksqWzMlY14X52WOx8y.csHigh entropy of concatenated method names: 'lZF1HpuA5wrgn9FPo3WX5kk6SYiE9qovH', 'ljKcKRE8Z9gPVY70nHbHPEfJWumWeXMCQ', 'ofJmDvJo7OotK35gDFgMwgTGKXqO7prpf', 'V5OHeVFmHPb3gErRhxFoHQd92cJcLbW3z'
                    Source: RuntimeBroker.exe.0.dr, bJCrM1wCcp7U35tvaY5PFjxpqHTk9epcG.csHigh entropy of concatenated method names: 'uTdz6YCWNMUpxviko2HZseFKh4ygfAUt2', 'hRgsYvf12VAevSAHiM1YTdR8UpZ6WCz7d', 'VbEr8LXcuADGNg5TDoEykdKnSo8vq60u6', 'k4o3dYlgprKWJeftywuUgkyqLTeGlzj2hUPwkKLOc09VeQh6RKQafpZ4juwinZePeHbAaB2IyNitpN84xyY', 'EC06bDErB7POL9kqDBp9xfJYwmhZcS2GvfRzM9YP6ttUpwHzYwRJoV7mElQgwxfHjnt2Js8km2ufmRqtpAC', 'KvUT7Iuxjeft0VyDhAZEOklFZ2XuMbMfD7ISvVhP7knsiUa9Fn1bvanAVQkMsAFU9BOzYMI2OGHw2co1XA2', '_2k3rpA70S0hNJ0aT2BQiR67lEA4CMsUn45StUZeLj1sFjWhewekbO0gnURzHHgcrVqZqP6wKIM0mcVgBDt0', 'zW5LvmhXHM2tjPV2D6hZQIq02yVDH0DnZr7EDz0gQ30c7bKCIpeUkf1sBPLIeEFKyw65IMZCxTYZ2wHdl3z', '_0OFRWCIeE1DPp59EzsfIgjQ4kMk85gHihlpxGjrpwicuyySOoWweDGNwKpOZjgI1THqlDXWmY275AErIfcq', 'BEbULDkUUk7z2MTQ3hw77EcaGKecvztxI27yvBlFjlZiYtBHiABLX38DWWjOruco6Hg3OetxgAdEyli2ys4'
                    Source: RuntimeBroker.exe.0.dr, aV9OrMIX4hKGn3f8bOYpd3J0vIGYVpQ3bKglvibRWDudQuga.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Uq2AYxGaapBCUCLaiC2t9NXhXE7l1pb8r', 'gC9xnDZT5Wcmq0wzwUjIwrL6ZikEClH4d', 'KZ7FNlklhpSv4Sw5zldXgQpXHBEky6OlS', '_5KwQPWeVtfZrVjTztRMRUpvCQWIRcNuDI'
                    Source: RuntimeBroker.exe.0.dr, lTbfnmh5SWlYUY1dETXUGxAExIiZqthTSyx7IL2KjS2rzw47.csHigh entropy of concatenated method names: 'xQhpPupKQWeDnYp2qn6jA7uDsTS0t9MlY5cWemNqXJool81e', 'jAIB97CXc5efIhesD3zic9mdC6vVWZusfch86XdC6SXPc3LG', 'LMH0KufrYu4GlXxZj5fBX0wofuuPi8daoMxCfYaeQ496q9a9', 'y3yzieuwvIFjcifNci2tq9RRzpS3oEUN6SSdlsMtaNzFceK8', 'L7CzxcJDCVkWnXftpWMoEPNUN9Gz2YduCpJo3em5FEgxiKBD', 'UzTaa9Oju8EeJEIIiuRpWZolgjZ5umQyIduP0iluQfeVrGMG', 'EcWH9yfZKqMA5hSkk98xTf4YDQ5WlZT1Fls7RzqVme2pPefZ', '_3UNFuKnCgiyPkw4GgBEzwFcOjZCW6ov0gm7sBzv7o82ZYPGg', 'hhYqoV76lVpw4RJKmYqfhdFmdKiXFv3ktJ8JF5pbDQ2S3fXB', 'NyQVBJB2MRNW7coUfyB7EZNq9wd8qLsp6miFSBa7PVcVzMuW'
                    Source: RuntimeBroker.exe.0.dr, QiAcIDVohP5zwGwovBrjE6G4PTDImC4HqrosnpIaj3XbsuQL.csHigh entropy of concatenated method names: 'T0pllQIz28sqJdEFA23gPStIEWHkAORVFTRDU4p5Le5peO7E', '_6i31SDhv0f4pUcUOszPTgxiFuEFHZG38zqm5Oe8rKFmV73Z2blwDInUMWqcOhXQlF8', 'So2j666Vg04MPHS5G3FZfGAoQTuEPr1YIdU6uIORc7jAPsCfXPwIHK1oVCIKEFRC1y', 'U9GjUHVlmkQCG3AesH00KLpZxRQ6Uj2XKe4VrHAKDcoZuptLrMG7WPjYZLvEmn3bOC', 'mxz3RruGpyNg89LL8uRu5aD63Cv4ibEPN6asGkyfoNXfva30YRThaY21xH8zAmHjFD'
                    Source: RuntimeBroker.exe.0.dr, 1GX1cj7BjvLmt39ChXJM1BKc2FZbcYTQ7.csHigh entropy of concatenated method names: 'spnpOUau4peJma3rhooOprCCgcbRSO7q9', 'OpJS39gmPYPpQ7sBVEOCn6gCCIfWOfg05', '_4wr4q8AyHrWdfSVRdYZMEoPXNmMENaN6c', 'WylWUW2OMAGvQQCC53obVqf2WvVxlY1Ws', 'C6nJCNP31cuMHp9wCjzhGTHMcsDmEXChD', 'mP1mHekJN0qwYjMGGFVjqOswut6puG6uO', 'N2ZwEIP9Wd1YzukIY9dk8Y7z7fLzZsOMr', 'HieOl6EuxrVMe7yVi949N7Rnyo9M6ySgN', 'Q0yRKsae99Uy4qODIC1TnZipuS5Jje9Wx', 'Db4TqUwylMbgLKp0h41q7jpq6ZK8Sxvua'
                    Source: RuntimeBroker.exe.0.dr, 5xu4vnHJXK0y0bM9IQa5mFpLbw0VwznJcJ3QZlRQyquzpat1.csHigh entropy of concatenated method names: 'Ke73JotnEnKgOFm4Xvv3MT8g8WMx46pgueIBF0S6qnb3E07j', 'Zv3rKSvajADN5oh8AGHP3vmrEvS3n4aLFKDnsaLPjSZ7ohxD', 'aMY9qif2DMoF8q82PoIMuD5nt6vyJgd1I4SCFUyGaRufPkaP', 'pBbq9hGAEBLPJQPFH6tmw6zmvqTDrfbiLG7hIle5dDrhZqbe', 'B5WS1JNCihDD2SysUQx3Sbl1Sm9h6B0yZ7mXOc1M0Pt1MXhc', 'rlvm9mIVCPIDc96aBP1Zbgsd3aXZlJCJgoXhzIDCbd3dLLUu', 'S4mlQWSedvbagjdXdZQLfp4jiGIIVRGch1kvxv9mXcvuH6NX', 'SjvkzwN5rB0MqLKS4NuZqacQZyxdBOsOdPTFY2arKxB5bZqL', '_4JplVjr9onVe9kKfCmJfPbM0fXQNFuxvt3kInVmwTQ1niTrR', 'jNAp1NImB1RgDhG4hZRAZ8zLIJVUZ5ykOuc4VJcwVjs6JF76'
                    Source: RuntimeBroker.exe.0.dr, MYTWVw4O597K1pYdrCE3hYc0XPFlQTarTDXetwfWoSOpqcUA.csHigh entropy of concatenated method names: '_2QxD7AnkGKlPH1usShJHjt5ITNMVXPTlofM6Q2mQYLvidZE4', 'oFF88RaYgC7LHSr9EQo9pilB0pwBJJip1s0MFKxLwWXjFURH', 'qkKqLEK6mNYC8PVo9TYMG9iFYJnFDMz0ufWXHSZqbeU3F71U', 'kxAtV5XKV5OdfgNDLl36W3BI7HUumYBhp', 'liJQld3LCYQffK8vdWvzBgwmorE4zAuPI', '_7t1FdMNFaHYfd4ItnHNxnBq8tEeZ2Cgrw', 'pVNJnQy8z7i07v4IZkvdxbnugrBDTyLNm', 'cX31BiXScqoXo6cbhHueZfNGjsUVpagTs', 'GUW3gXxmrZBgTa4yktbV2poRLWj0w9yzV', 'YLwWzmBTCimMFqxogSkqzRFJ6DGhHJNxH'
                    Source: RuntimeBroker.exe.0.dr, m0B7yeshFCUMyPXttOigEUQoowydIPEz6.csHigh entropy of concatenated method names: 'KLozAKgPeZk5GDIExjWvRNGIGXdMbwPA6', 'Te4iHBXG8J7jfC8wmwLz5HjV39hANbvcGzasjUJZpUoMmwRY91dPNbDksh1SSSuD7VLLVLJxSHCxS7qql33DP08ET2TsEpgkVj', 'sFaB5kY9OLgfG1GrpcHMU4LLYX5H7DECpKJjqznD5RS7ycem5SzU11a9oWO9kJnIdVMSCfZGbxcLIRdEbQzng0n8i0sxC71B3F', 'ACrV4DUXUw58vjHq5nHcBqMkgiEjVpsFeTsdGJ8A5JQYcbTB7l9a7bIkgTC3jDD3LcOdotYyJ6WRk8Hmb77SiUCRvoGZZojnYk', 'fZYDKiFIVt71CAAGSxgMStEhARfchVr14n5MPh9nEUI7FTgVNIVbNdhu0Uoc97IQCXxBn2JwCNF0NZtPV5bZCPadWzB5N3OdNR'
                    Source: RuntimeBroker.exe.0.dr, yVec4rdYvhhaMJjthAfgC85YcrF49MXvW4SCGx77ESYyAXqi.csHigh entropy of concatenated method names: 'LGCrfBE3FIHieUqY92C532uWnk5Mt7fdDzdcCrXedA3qB54P', 'juZNEQ0UDvxnLYc5FKZ5mZJ8v3j8ZIj1PLNc65lKfkilFTaX', 'YgThxwzPJsGJRxlgjVbQqF6j34lZpqvEXY6sV6WotVlE21UI', 'ETNLT67ge7oP6C4fnNevVj98qRj3c7N0mESEAclRGG3nEQ05', 'MvdZxGiKIy45kiUj8kTYEivHjEgynrz9JpS72v4TEhi4a7BM', 'ZeaE5Xhg8wRHiCIc8lyMthl5TrMGgUYiciuIGKHdE5gUQQXf', 'MOOFCVvpL6j68yLHc4Bl8YUASxxKWRwkeXtTAH2nWEeLzLkd', 'g9YHuIltyjXr0kWKbGtx0BOiULjteX1YKKwVKZ0xVRWV3arn', 'T3SVxrSCiwVGeZL55hEpp1pmYr2xMubXpJaaytW82V3iH1dA', 'Dp4DSJ1pL4AouyteBJFLkRlrV6eRrC4bFzykvSsrvlNvlUxj'
                    Source: RuntimeBroker.exe.0.dr, MHeryqZPQNY9ggNDrhVIGHd8aIjufJhUR.csHigh entropy of concatenated method names: 'p1PjDA23syi1mBwY5xsz4TIgRpTNNxSu3', '_6nBxaSUqSjH43HehUbaT9VFkegxHofEN2', '_0f8KAF1GU0ADxclHZX2isztdciOpUGo6u', '_3oza8d48Cs9R5VZM8z44uHzGRmJIJ5pvM', 'HxGu7kJFAiSslJhBQxVphsZCKlx5hhl3W630Psf6JrTFsGxDm8z20yyjN2aLoVoDqEzoNB7YNUjqDK2cBuKtQ1oEAuTZFDh0UJ', '_6gWmwFOMZRFxW34bDGJFUgYhNielL77eROJbRtPv2hiqpKbFI7mmrCpoz4nNFudHSIuGiN9KzfrBC2YUcoJrJYX7q6igRzXDzC', 'Sc60shMwg9mbSX8tk0qaz0UrxQ9MVf6YDLK9SRWHnGoqsS6ATkF9mmAOswiYNIRgFPGsGKhqeiMfDIXLUOa0H4YCB37zXZ1OHJ', 'oBHZ2jFAB0rrQvJeILxBx0lRIDId9cln9DdRIDULB5nDWNSm0oLMnozChd2fnF50nWocHztkBIxs47uKboKYl9z3kWqjuTpdeH', 'Q9DOjFesD77R5B1vwnh6lLmgbOpBNZiZDuuU21Wi1g3IQ8KxLsmpCvRHyQoCDsymjVmbacmC5yYVOcETtb0oPpse21Nnqvhg4H', '_3qrZ8FRXF9RFAsWMben9PUbbPcf4yznnvCS90nZMiIypxWcszn6UnfWvEFGUdr2Z9EL7h54p9quY4S8LOkIXqZpQiQRTgH8xSI'
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeFile created: C:\Users\user\AppData\Roaming\RuntimeBroker.exeJump to dropped file
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnkJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnkJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: BootstrapperV1.16.exe, 00000000.00000002.2931914531.0000000002A11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: BootstrapperV1.16.exe, RuntimeBroker.exe.0.drBinary or memory string: SBIEDLL.DLLCQ6NFTSYVHSMF35IJP6GUFWOCUPPDW1YFYC3VHFOS0YOWWVENSYRYBQSJDQPGOO6I09SCEGSVPABSM7C3FLPGB3YOWBWYSHAZLXBEPCY9NLZHF99CT88MTVVT6XO46FZIWE9GWYPCWSSNCGEZCY2WDAOBWFKWUUQZ6DQ2MZBWAC88JX91YCG7GFLM2LWKKDC83WSJYGXW63SCMBH6TCIJDHH4CE4LBC691QWXSY7GINVOSCHFDZSEDVFACFK36JWQPZJBUCW37WXFC36C3IUZRH6KRBWHR1ZEMLTKS7NSZLKLGTGSFCNRHPHDS5FRQ7YYYQNPFHJR7RLXU1T07XNCARIWMYSA3IY3BIHKRQF1NGMXEGZSZYJWNCDLY5DT2WO389BGQXJO1JK5NKPE0OD7NMRCQNE1SSDRGSJRTLNAU139WXVEEHYKN55PCCKZDB9ZBM8VTG4RUIGDHAV93QPR1LOFGVUINFO
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeMemory allocated: 10E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeMemory allocated: 1AA10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeMemory allocated: 24F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeMemory allocated: 1A4F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeMemory allocated: 2420000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeMemory allocated: 1A420000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeWindow / User API: threadDelayed 9664Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6944Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2726Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7700Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1933Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7274Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2356Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7978
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1682
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exe TID: 7700Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7784Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968Thread sleep count: 7700 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7972Thread sleep count: 1933 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7996Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7280Thread sleep count: 7274 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7276Thread sleep count: 2356 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7312Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4600Thread sleep count: 7978 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3020Thread sleep count: 1682 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7340Thread sleep time: -4611686018427385s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe TID: 1720Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe TID: 8128Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeThread delayed: delay time: 922337203685477
                    Source: RuntimeBroker.exe.0.drBinary or memory string: vmware
                    Source: BootstrapperV1.16.exe, 00000000.00000002.2964271180.000000001B7A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeCode function: 0_2_00007FFD9B887871 CheckRemoteDebuggerPresent,0_2_00007FFD9B887871
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\BootstrapperV1.16.exe'
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\RuntimeBroker.exe'
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\BootstrapperV1.16.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\RuntimeBroker.exe'Jump to behavior
                    Bypasses PowerShell execution policy
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\BootstrapperV1.16.exe'
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\BootstrapperV1.16.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BootstrapperV1.16.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\RuntimeBroker.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeQueries volume information: C:\Users\user\Desktop\BootstrapperV1.16.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeQueries volume information: C:\Users\user\AppData\Roaming\RuntimeBroker.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeQueries volume information: C:\Users\user\AppData\Roaming\RuntimeBroker.exe VolumeInformation
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: BootstrapperV1.16.exe, 00000000.00000002.2964271180.000000001B7A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\BootstrapperV1.16.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: BootstrapperV1.16.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.BootstrapperV1.16.exe.880000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2961557097.0000000012A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1675665365.0000000000882000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2931914531.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: BootstrapperV1.16.exe PID: 7536, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: BootstrapperV1.16.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.BootstrapperV1.16.exe.880000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2961557097.0000000012A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1675665365.0000000000882000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2931914531.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: BootstrapperV1.16.exe PID: 7536, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                    Windows Management Instrumentation                    		2
                    Registry Run Keys / Startup Folder                    		11
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping541
                    Security Software Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    PowerShell                    		1
                    DLL Side-Loading                    		2
                    Registry Run Keys / Startup Folder                    		11
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		151
                    Virtualization/Sandbox Evasion                    		Security Account Manager151
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeylogging12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Software Packing                    		DCSync23
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1584550 Sample: BootstrapperV1.16.exe Startdate: 05/01/2025 Architecture: WINDOWS Score: 100 36 24.ip.gl.ply.gg 2->36 38 ip-api.com 2->38 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 16 other signatures 2->52 8 BootstrapperV1.16.exe 15 6 2->8         started        13 RuntimeBroker.exe 2->13         started        15 RuntimeBroker.exe 2->15         started        signatures3 process4 dnsIp5 40 24.ip.gl.ply.gg 147.185.221.24, 49738, 61472 SALSGIVERUS United States 8->40 42 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 8->42 34 C:\Users\user\AppData\...\RuntimeBroker.exe, PE32 8->34 dropped 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->54 56 Protects its processes via BreakOnTermination flag 8->56 58 Bypasses PowerShell execution policy 8->58 66 3 other signatures 8->66 17 powershell.exe 23 8->17         started        20 powershell.exe 23 8->20         started        22 powershell.exe 22 8->22         started        24 powershell.exe 8->24         started        60 Antivirus detection for dropped file 13->60 62 Multi AV Scanner detection for dropped file 13->62 64 Machine Learning detection for dropped file 13->64 file6 signatures7 process8 signatures9 44 Loading BitLocker PowerShell Module 17->44 26 conhost.exe 17->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    BootstrapperV1.16.exe76%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                    BootstrapperV1.16.exe100%AviraTR/Dropper.Gen
                    BootstrapperV1.16.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\RuntimeBroker.exe100%AviraTR/Dropper.Gen
                    C:\Users\user\AppData\Roaming\RuntimeBroker.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\RuntimeBroker.exe76%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://wwwrosocrostp:/ime20210(1).c0%Avira URL Cloudsafe
                    24.ip.gl.ply.gg0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    24.ip.gl.ply.gg
                    		147.185.221.24
                    		truetrue
                      		unknown
                      ip-api.com
                      		208.95.112.1
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        24.ip.gl.ply.ggtrue
                        • Avira URL Cloud: safe
                        		unknown
                        127.0.0.1false
                          		high
                          http://ip-api.com/line/?fields=hostingfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1766388571.000001BF90076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1850926111.000001FDB2066000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1989841862.000001DA38ED5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2177090574.000001CEE3013000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://crl.micropowershell.exe, 00000001.00000002.1775580007.000001BFF8230000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2047132449.000001CED31CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1751727829.000001BF80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800352818.000001FDA2218000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1905966006.000001DA2908A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2047132449.000001CED31CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2047132449.000001CED31CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1751727829.000001BF80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800352818.000001FDA2218000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1905966006.000001DA2908A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2047132449.000001CED31CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/powershell.exe, 0000000B.00000002.2177090574.000001CEE3013000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1766388571.000001BF90076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1850926111.000001FDB2066000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1989841862.000001DA38ED5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2177090574.000001CEE3013000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://crl.micro/pki/crl/productCerAut_2010-06-2powershell.exe, 00000001.00000002.1775580007.000001BFF8230000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2177090574.000001CEE3013000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2177090574.000001CEE3013000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://aka.ms/pscore68powershell.exe, 00000001.00000002.1751727829.000001BF80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800352818.000001FDA1FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1905966006.000001DA28E61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2047132449.000001CED2FA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameBootstrapperV1.16.exe, 00000000.00000002.2931914531.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1751727829.000001BF80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800352818.000001FDA1FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1905966006.000001DA28E61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2047132449.000001CED2FA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2047132449.000001CED31CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://wwwrosocrostp:/ime20210(1).cpowershell.exe, 0000000B.00000002.2208188317.000001CEEB7DA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        208.95.112.1
                                                        		ip-api.comUnited States
                                                        		53334TUT-ASUSfalse
                                                        147.185.221.24
                                                        		24.ip.gl.ply.ggUnited States
                                                        		12087SALSGIVERUStrue

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1584550
                                                        Start date and time:2025-01-05 20:31:05 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 5m 56s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:16
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:BootstrapperV1.16.exe
                                                        Detection:MAL
                                                        Classification:mal100.troj.evad.winEXE@15/21@2/2
                                                        EGA Information:
                                                        • Successful, ratio: 14.3%
                                                        HCA Information:
                                                        • Successful, ratio: 99%
                                                        • Number of executed functions: 71
                                                        • Number of non-executed functions: 6
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                        • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                        • Execution Graph export aborted for target RuntimeBroker.exe, PID 5800 because it is empty
                                                        • Execution Graph export aborted for target RuntimeBroker.exe, PID 8108 because it is empty
                                                        • Execution Graph export aborted for target powershell.exe, PID 7200 because it is empty
                                                        • Execution Graph export aborted for target powershell.exe, PID 7656 because it is empty
                                                        • Execution Graph export aborted for target powershell.exe, PID 7884 because it is empty
                                                        • Execution Graph export aborted for target powershell.exe, PID 8160 because it is empty
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                        • VT rate limit hit for: BootstrapperV1.16.exe

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        14:32:02API Interceptor45x Sleep call for process: powershell.exe modified
                                                        14:32:52API Interceptor420255x Sleep call for process: BootstrapperV1.16.exe modified
                                                        19:32:56AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker C:\Users\user\AppData\Roaming\RuntimeBroker.exe
                                                        19:33:05AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker C:\Users\user\AppData\Roaming\RuntimeBroker.exe
                                                        19:33:13AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        208.95.112.1SharkHack.exeGet hashmaliciousXWormBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        paint.exeGet hashmaliciousBlank GrabberBrowse
                                                        • ip-api.com/json/?fields=225545
                                                        X9g8L63QGs.exeGet hashmaliciousBlank GrabberBrowse
                                                        • ip-api.com/json/?fields=225545
                                                        KpHYfxnJs6.exeGet hashmaliciousBlank GrabberBrowse
                                                        • ip-api.com/json/?fields=225545
                                                        9g9LZNE4bH.exeGet hashmaliciousBlank GrabberBrowse
                                                        • ip-api.com/json/?fields=225545
                                                        riFSkYVMKB.exeGet hashmaliciousBlank GrabberBrowse
                                                        • ip-api.com/json/?fields=225545
                                                        ddos tool.exeGet hashmaliciousXWormBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        kthiokadjg.exeGet hashmaliciousBlackshadesBrowse
                                                        • ip-api.com/json/
                                                        file.exeGet hashmaliciousAsyncRAT, XRed, XWormBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        file.exeGet hashmaliciousXWormBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        147.185.221.24SharkHack.exeGet hashmaliciousXWormBrowse
                                                          avaydna.exeGet hashmaliciousNjratBrowse
                                                            ddos tool.exeGet hashmaliciousXWormBrowse
                                                              L988Ph5sKX.exeGet hashmaliciousXWormBrowse
                                                                ANuh30XoVu.exeGet hashmaliciousXWormBrowse
                                                                  p59UXHJRX3.exeGet hashmaliciousXenoRATBrowse
                                                                    JdYlp3ChrS.exeGet hashmaliciousNjratBrowse
                                                                      Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                                                                        test.exeGet hashmaliciousDarkCometBrowse
                                                                          L363rVr7oL.exeGet hashmaliciousNjratBrowse

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            ip-api.comSharkHack.exeGet hashmaliciousXWormBrowse
                                                                            • 208.95.112.1
                                                                            paint.exeGet hashmaliciousBlank GrabberBrowse
                                                                            • 208.95.112.1
                                                                            X9g8L63QGs.exeGet hashmaliciousBlank GrabberBrowse
                                                                            • 208.95.112.1
                                                                            KpHYfxnJs6.exeGet hashmaliciousBlank GrabberBrowse
                                                                            • 208.95.112.1
                                                                            9g9LZNE4bH.exeGet hashmaliciousBlank GrabberBrowse
                                                                            • 208.95.112.1
                                                                            riFSkYVMKB.exeGet hashmaliciousBlank GrabberBrowse
                                                                            • 208.95.112.1
                                                                            ddos tool.exeGet hashmaliciousXWormBrowse
                                                                            • 208.95.112.1
                                                                            kthiokadjg.exeGet hashmaliciousBlackshadesBrowse
                                                                            • 208.95.112.1
                                                                            file.exeGet hashmaliciousAsyncRAT, XRed, XWormBrowse
                                                                            • 208.95.112.1
                                                                            file.exeGet hashmaliciousXWormBrowse
                                                                            • 208.95.112.1
                                                                            24.ip.gl.ply.ggSharkHack.exeGet hashmaliciousXWormBrowse
                                                                            • 147.185.221.24

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            TUT-ASUSSharkHack.exeGet hashmaliciousXWormBrowse
                                                                            • 208.95.112.1
                                                                            paint.exeGet hashmaliciousBlank GrabberBrowse
                                                                            • 208.95.112.1
                                                                            X9g8L63QGs.exeGet hashmaliciousBlank GrabberBrowse
                                                                            • 208.95.112.1
                                                                            KpHYfxnJs6.exeGet hashmaliciousBlank GrabberBrowse
                                                                            • 208.95.112.1
                                                                            9g9LZNE4bH.exeGet hashmaliciousBlank GrabberBrowse
                                                                            • 208.95.112.1
                                                                            riFSkYVMKB.exeGet hashmaliciousBlank GrabberBrowse
                                                                            • 208.95.112.1
                                                                            ddos tool.exeGet hashmaliciousXWormBrowse
                                                                            • 208.95.112.1
                                                                            kthiokadjg.exeGet hashmaliciousBlackshadesBrowse
                                                                            • 208.95.112.1
                                                                            file.exeGet hashmaliciousAsyncRAT, XRed, XWormBrowse
                                                                            • 208.95.112.1
                                                                            file.exeGet hashmaliciousXWormBrowse
                                                                            • 208.95.112.1
                                                                            SALSGIVERUSSharkHack.exeGet hashmaliciousXWormBrowse
                                                                            • 147.185.221.24
                                                                            avaydna.exeGet hashmaliciousNjratBrowse
                                                                            • 147.185.221.24
                                                                            ddos tool.exeGet hashmaliciousXWormBrowse
                                                                            • 147.185.221.24
                                                                            L988Ph5sKX.exeGet hashmaliciousXWormBrowse
                                                                            • 147.185.221.24
                                                                            ANuh30XoVu.exeGet hashmaliciousXWormBrowse
                                                                            • 147.185.221.24
                                                                            p59UXHJRX3.exeGet hashmaliciousXenoRATBrowse
                                                                            • 147.185.221.24
                                                                            JdYlp3ChrS.exeGet hashmaliciousNjratBrowse
                                                                            • 147.185.221.24
                                                                            Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                                                                            • 147.185.221.24
                                                                            OneDrive.exeGet hashmaliciousQuasarBrowse
                                                                            • 147.185.221.22
                                                                            gReXLT7XjR.exeGet hashmaliciousNjratBrowse
                                                                            • 147.185.221.18

                                                                            JA3 Fingerprints

                                                                            No context

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Roaming\RuntimeBroker.exe
                                                                            File Type:CSV text
                                                                            Category:dropped
                                                                            Size (bytes):654
                                                                            Entropy (8bit):5.380476433908377
                                                                            Encrypted:false
                                                                            SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                            MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                            SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                            SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                            SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                            Malicious:false
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:modified
                                                                            Size (bytes):64
                                                                            Entropy (8bit):0.34726597513537405
                                                                            Encrypted:false
                                                                            SSDEEP:3:Nlll:Nll
                                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                            Malicious:false
                                                                            Preview:@...e...........................................................

                                                                            C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\BootstrapperV1.16.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):41
                                                                            Entropy (8bit):3.7195394315431693
                                                                            Encrypted:false
                                                                            SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                                                                            MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                                                                            SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                                                                            SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                                                                            SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                                                                            Malicious:false
                                                                            Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0mxdwrav.xd1.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_15sbehlj.tul.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1rzehyk4.lzi.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2gzsgom2.1eh.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2hm5wryu.b4l.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3gaw3ada.cac.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_arzlvrab.35p.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bacajrul.1fi.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bcqgjirb.4mz.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_efgjhzw2.p45.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ghbgvmrs.fft.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mi0g45ud.xql.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nm44qrde.rh0.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ny0nhnfg.201.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oqe3oxbe.k1l.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rtd0pj05.4g0.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\BootstrapperV1.16.exe
                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Jan 5 18:32:52 2025, mtime=Sun Jan 5 18:32:52 2025, atime=Sun Jan 5 18:32:52 2025, length=1321984, window=hide
                                                                            Category:dropped
                                                                            Size (bytes):796
                                                                            Entropy (8bit):5.094933063279188
                                                                            Encrypted:false
                                                                            SSDEEP:24:8Rhfd+bnQaS4SSyA3cbkTS2gTQYTQfBm:8Rh2QaZ3cgJ
                                                                            MD5:27E3931AA67C523CF1F955FD22A21819
                                                                            SHA1:9F0A1D16957DEDFABB1CEAD5CBC111041E06639A
                                                                            SHA-256:5256D2076901AF3660BD0E3874B818D7F26F8EB9B11E5F507BB3116B95C0EC9E
                                                                            SHA-512:ACA9AEDA9D94B5B2F8A65DA1BF67D780320F125EDB9DC1E6D5319A3910D3CC1A9445B2529DD6D42D6F21349BC4AC2AF3D995BF6FECC56D8CCEB79D90D8B7AE2E
                                                                            Malicious:false
                                                                            Preview:L..................F.... ......._......_......_...,........................:..DG..Yr?.D..U..k0.&...&......vk.v.....m3w._..7...._......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^%Z.............................%..A.p.p.D.a.t.a...B.V.1.....%Z....Roaming.@......CW.^%Z............................../.R.o.a.m.i.n.g.....p.2..,..%Z.. .RUNTIM~1.EXE..T......%Z..%Z............,..................R.u.n.t.i.m.e.B.r.o.k.e.r...e.x.e......._...............-.......^...........uV.......C:\Users\user\AppData\Roaming\RuntimeBroker.exe.. .....\.....\.....\.....\.....\.R.u.n.t.i.m.e.B.r.o.k.e.r...e.x.e.`.......X.......562258...........hT..CrF.f4... .Z.%.....,.......hT..CrF.f4... .Z.%.....,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                            C:\Users\user\AppData\Roaming\RuntimeBroker.exe

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\BootstrapperV1.16.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):1321984
                                                                            Entropy (8bit):0.6074568350343187
                                                                            Encrypted:false
                                                                            SSDEEP:1536:PhO2gmyqK6OmQPqhwjgJWKYbk6qurviB6jcTXlOHVXVibnXsEPvK:ngmB5OvbgcKYbkEjiocDlOhkbnXsUK
                                                                            MD5:835C37F624F71F8B24E75E261CD3C128
                                                                            SHA1:AA90CEC899E869CC185D55B6529C39EF7D6EAE73
                                                                            SHA-256:46F77AC2874E2A8A9B48A031360E269D132587C995AB320C619BCE2BD324774E
                                                                            SHA-512:3CB5446FE0CFAF1E70F6414781CB5B07ABD9B82C9F95626588159780F7FA9462580F144573F81BA481774CAE3A526BF33CF295EE05CE41E8E5F6CF03DBF0F3D2
                                                                            Malicious:true
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, Author: Joe Security
                                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, Author: Joe Security
                                                                            • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, Author: Sekoia.io
                                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, Author: ditekSHen
                                                                            Antivirus:
                                                                            • Antivirus: Avira, Detection: 100%
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            • Antivirus: ReversingLabs, Detection: 76%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....zyg.................D..........>b... ........@.. ....................................@..................................a..O.................................................................................... ............... ..H............text...DB... ...D.................. ..`.rsrc................F..............@..@.reloc...............L..............@..B................ b......H........b..l.......&.....................................................(....*.r...p*. C...*..(....*.rE..p*. u...*.s.........s.........s.........s.........*.r...p*. ...*.r...p*. r...*.r...p*. .(T.*.rU..p*. ..h.*.r...p*. E/..*..((...*.r...p*. .d..*.r?..p*. ~.H.*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Y...*"(....+.*&(....&+.*.+5sj... .... .'..ok...(,...~....-.(_...(Q...~....ol...&.-.*.r...p*.r...p*. ,-..*.rM..p*. :?..*.r...p*. *p{.*.r...p*.r...p*. .|..*.r]..p*.r...p*. ..

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Entropy (8bit):0.6074568350343187
                                                                            TrID:
                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                            File name:BootstrapperV1.16.exe
                                                                            File size:1'321'984 bytes
                                                                            MD5:835c37f624f71f8b24e75e261cd3c128
                                                                            SHA1:aa90cec899e869cc185d55b6529c39ef7d6eae73
                                                                            SHA256:46f77ac2874e2a8a9b48a031360e269d132587c995ab320c619bce2bd324774e
                                                                            SHA512:3cb5446fe0cfaf1e70f6414781cb5b07abd9b82c9f95626588159780f7fa9462580f144573f81ba481774cae3a526bf33cf295ee05ce41e8e5f6cf03dbf0f3d2
                                                                            SSDEEP:1536:PhO2gmyqK6OmQPqhwjgJWKYbk6qurviB6jcTXlOHVXVibnXsEPvK:ngmB5OvbgcKYbkEjiocDlOhkbnXsUK
                                                                            TLSH:44557C283BEA0119F2FF6FF11DF13657DA79F3232902965F2085024A5623E85CD916F9
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....zyg.................D..........>b... ........@.. ....................................@................................

                                                                            File Icon

                                                                            Icon Hash:90cececece8e8eb0

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x41623e
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x67797A9A [Sat Jan 4 18:14:50 2025 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            jmp dword ptr [00402000h]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x161ec0x4f.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x180000x4f6.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x20000x142440x14400ed0b09804c5584628faf6918c80c4b24False0.6049021026234568data5.984235038846865IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x180000x4f60x600ce79f9f17838f8135d3308fcd9fcb781False0.3815104166666667data3.7974596304165495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0x1a0000xc0x20077a1125d01411e5890f960bf1dba613fFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_VERSION0x180a00x26cdata0.4596774193548387
                                                                            RT_MANIFEST0x1830c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                            Imports

                                                                            DLLImport
                                                                            mscoree.dll_CorExeMain

                                                                            Network Behavior

                                                                            Suricata IDS Alerts

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2025-01-05T20:33:02.801620+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2461472192.168.2.449738TCP
                                                                            2025-01-05T20:33:02.801620+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21147.185.221.2461472192.168.2.449738TCP
                                                                            2025-01-05T20:33:06.186117+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2461472192.168.2.449738TCP
                                                                            2025-01-05T20:33:06.187523+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449738147.185.221.2461472TCP
                                                                            2025-01-05T20:33:18.591573+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449738147.185.221.2461472TCP
                                                                            2025-01-05T20:33:19.032487+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2461472192.168.2.449738TCP
                                                                            2025-01-05T20:33:19.035723+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449738147.185.221.2461472TCP
                                                                            2025-01-05T20:33:31.652308+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2461472192.168.2.449738TCP
                                                                            2025-01-05T20:33:31.654408+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449738147.185.221.2461472TCP
                                                                            2025-01-05T20:33:32.799137+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2461472192.168.2.449738TCP
                                                                            2025-01-05T20:33:32.799137+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21147.185.221.2461472192.168.2.449738TCP
                                                                            2025-01-05T20:33:44.390005+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2461472192.168.2.449738TCP
                                                                            2025-01-05T20:33:44.392189+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449738147.185.221.2461472TCP
                                                                            2025-01-05T20:33:57.121604+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2461472192.168.2.449738TCP
                                                                            2025-01-05T20:33:57.123379+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449738147.185.221.2461472TCP
                                                                            2025-01-05T20:33:58.731002+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2461472192.168.2.449738TCP
                                                                            2025-01-05T20:33:58.732649+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449738147.185.221.2461472TCP
                                                                            2025-01-05T20:34:00.652449+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2461472192.168.2.449738TCP
                                                                            2025-01-05T20:34:00.657534+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449738147.185.221.2461472TCP
                                                                            2025-01-05T20:34:02.813450+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2461472192.168.2.449738TCP
                                                                            2025-01-05T20:34:02.813450+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21147.185.221.2461472192.168.2.449738TCP
                                                                            2025-01-05T20:34:07.226278+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2461472192.168.2.449738TCP
                                                                            2025-01-05T20:34:07.226938+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449738147.185.221.2461472TCP

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jan 5, 2025 20:32:00.742285967 CET4973080192.168.2.4208.95.112.1
                                                                            Jan 5, 2025 20:32:00.747128963 CET8049730208.95.112.1192.168.2.4
                                                                            Jan 5, 2025 20:32:00.747279882 CET4973080192.168.2.4208.95.112.1
                                                                            Jan 5, 2025 20:32:00.747831106 CET4973080192.168.2.4208.95.112.1
                                                                            Jan 5, 2025 20:32:00.752588987 CET8049730208.95.112.1192.168.2.4
                                                                            Jan 5, 2025 20:32:01.207195044 CET8049730208.95.112.1192.168.2.4
                                                                            Jan 5, 2025 20:32:01.247338057 CET4973080192.168.2.4208.95.112.1
                                                                            Jan 5, 2025 20:32:43.552272081 CET8049730208.95.112.1192.168.2.4
                                                                            Jan 5, 2025 20:32:43.552340984 CET4973080192.168.2.4208.95.112.1
                                                                            Jan 5, 2025 20:32:53.078284979 CET4973861472192.168.2.4147.185.221.24
                                                                            Jan 5, 2025 20:32:53.083647966 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:32:53.083717108 CET4973861472192.168.2.4147.185.221.24
                                                                            Jan 5, 2025 20:32:53.135243893 CET4973861472192.168.2.4147.185.221.24
                                                                            Jan 5, 2025 20:32:53.139986038 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:33:02.801620007 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:33:02.856676102 CET4973861472192.168.2.4147.185.221.24
                                                                            Jan 5, 2025 20:33:05.859401941 CET4973861472192.168.2.4147.185.221.24
                                                                            Jan 5, 2025 20:33:05.864206076 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:33:06.186116934 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:33:06.187522888 CET4973861472192.168.2.4147.185.221.24
                                                                            Jan 5, 2025 20:33:06.192301035 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:33:18.591573000 CET4973861472192.168.2.4147.185.221.24
                                                                            Jan 5, 2025 20:33:18.710247993 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:33:19.032486916 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:33:19.035722971 CET4973861472192.168.2.4147.185.221.24
                                                                            Jan 5, 2025 20:33:19.040582895 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:33:31.325737000 CET4973861472192.168.2.4147.185.221.24
                                                                            Jan 5, 2025 20:33:31.330601931 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:33:31.652307987 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:33:31.654407978 CET4973861472192.168.2.4147.185.221.24
                                                                            Jan 5, 2025 20:33:31.659193993 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:33:32.799137115 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:33:32.841105938 CET4973861472192.168.2.4147.185.221.24
                                                                            Jan 5, 2025 20:33:41.217622995 CET4973080192.168.2.4208.95.112.1
                                                                            Jan 5, 2025 20:33:41.222533941 CET8049730208.95.112.1192.168.2.4
                                                                            Jan 5, 2025 20:33:44.060086966 CET4973861472192.168.2.4147.185.221.24
                                                                            Jan 5, 2025 20:33:44.067634106 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:33:44.390005112 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:33:44.392189026 CET4973861472192.168.2.4147.185.221.24
                                                                            Jan 5, 2025 20:33:44.396986008 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:33:56.794522047 CET4973861472192.168.2.4147.185.221.24
                                                                            Jan 5, 2025 20:33:56.800143003 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:33:57.121603966 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:33:57.123378992 CET4973861472192.168.2.4147.185.221.24
                                                                            Jan 5, 2025 20:33:57.128231049 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:33:58.404140949 CET4973861472192.168.2.4147.185.221.24
                                                                            Jan 5, 2025 20:33:58.409044027 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:33:58.731002092 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:33:58.732649088 CET4973861472192.168.2.4147.185.221.24
                                                                            Jan 5, 2025 20:33:58.737854004 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:34:00.325920105 CET4973861472192.168.2.4147.185.221.24
                                                                            Jan 5, 2025 20:34:00.331171989 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:34:00.652448893 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:34:00.657533884 CET4973861472192.168.2.4147.185.221.24
                                                                            Jan 5, 2025 20:34:00.662643909 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:34:02.813450098 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:34:02.856914043 CET4973861472192.168.2.4147.185.221.24
                                                                            Jan 5, 2025 20:34:06.900203943 CET4973861472192.168.2.4147.185.221.24
                                                                            Jan 5, 2025 20:34:06.905090094 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:34:07.226278067 CET6147249738147.185.221.24192.168.2.4
                                                                            Jan 5, 2025 20:34:07.226938009 CET4973861472192.168.2.4147.185.221.24
                                                                            Jan 5, 2025 20:34:07.231751919 CET6147249738147.185.221.24192.168.2.4

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jan 5, 2025 20:32:00.729773998 CET6140953192.168.2.41.1.1.1
                                                                            Jan 5, 2025 20:32:00.736459017 CET53614091.1.1.1192.168.2.4
                                                                            Jan 5, 2025 20:32:53.065944910 CET5114653192.168.2.41.1.1.1
                                                                            Jan 5, 2025 20:32:53.073975086 CET53511461.1.1.1192.168.2.4

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Jan 5, 2025 20:32:00.729773998 CET192.168.2.41.1.1.10xfa60Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                            Jan 5, 2025 20:32:53.065944910 CET192.168.2.41.1.1.10xb33cStandard query (0)24.ip.gl.ply.ggA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Jan 5, 2025 20:32:00.736459017 CET1.1.1.1192.168.2.40xfa60No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                            Jan 5, 2025 20:32:53.073975086 CET1.1.1.1192.168.2.40xb33cNo error (0)24.ip.gl.ply.gg147.185.221.24A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • ip-api.com

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.449730208.95.112.1807536C:\Users\user\Desktop\BootstrapperV1.16.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 5, 2025 20:32:00.747831106 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                            Host: ip-api.com
                                                                            Connection: Keep-Alive
                                                                            Jan 5, 2025 20:32:01.207195044 CET175INHTTP/1.1 200 OK
                                                                            Date: Sun, 05 Jan 2025 19:32:00 GMT
                                                                            Content-Type: text/plain; charset=utf-8
                                                                            Content-Length: 6
                                                                            Access-Control-Allow-Origin: *
                                                                            X-Ttl: 60
                                                                            X-Rl: 44
                                                                            Data Raw: 66 61 6c 73 65 0a
                                                                            Data Ascii: false


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:14:31:56
                                                                            Start date:05/01/2025
                                                                            Path:C:\Users\user\Desktop\BootstrapperV1.16.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Users\user\Desktop\BootstrapperV1.16.exe"
                                                                            Imagebase:0x880000
                                                                            File size:1'321'984 bytes
                                                                            MD5 hash:835C37F624F71F8B24E75E261CD3C128
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2961557097.0000000012A22000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2961557097.0000000012A22000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1675665365.0000000000882000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1675665365.0000000000882000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2931914531.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:low
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:1
                                                                            Start time:14:32:00
                                                                            Start date:05/01/2025
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\BootstrapperV1.16.exe'
                                                                            Imagebase:0x7ff788560000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:2
                                                                            Start time:14:32:00
                                                                            Start date:05/01/2025
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:4
                                                                            Start time:14:32:07
                                                                            Start date:05/01/2025
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BootstrapperV1.16.exe'
                                                                            Imagebase:0x7ff788560000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:5
                                                                            Start time:14:32:07
                                                                            Start date:05/01/2025
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:7
                                                                            Start time:14:32:17
                                                                            Start date:05/01/2025
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\RuntimeBroker.exe'
                                                                            Imagebase:0x7ff788560000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:8
                                                                            Start time:14:32:17
                                                                            Start date:05/01/2025
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:11
                                                                            Start time:14:32:31
                                                                            Start date:05/01/2025
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
                                                                            Imagebase:0x7ff788560000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:12
                                                                            Start time:14:32:31
                                                                            Start date:05/01/2025
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:13
                                                                            Start time:14:33:05
                                                                            Start date:05/01/2025
                                                                            Path:C:\Users\user\AppData\Roaming\RuntimeBroker.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Users\user\AppData\Roaming\RuntimeBroker.exe"
                                                                            Imagebase:0x120000
                                                                            File size:1'321'984 bytes
                                                                            MD5 hash:835C37F624F71F8B24E75E261CD3C128
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, Author: Joe Security
                                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, Author: Joe Security
                                                                            • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, Author: Sekoia.io
                                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, Author: ditekSHen
                                                                            Antivirus matches:
                                                                            • Detection: 100%, Avira
                                                                            • Detection: 100%, Joe Sandbox ML
                                                                            • Detection: 76%, ReversingLabs
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:14
                                                                            Start time:14:33:13
                                                                            Start date:05/01/2025
                                                                            Path:C:\Users\user\AppData\Roaming\RuntimeBroker.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Users\user\AppData\Roaming\RuntimeBroker.exe"
                                                                            Imagebase:0x50000
                                                                            File size:1'321'984 bytes
                                                                            MD5 hash:835C37F624F71F8B24E75E261CD3C128
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            Disassembly

                                                                            Reset < >

                                                                              Execution Graph

                                                                              Execution Coverage:19.1%
                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                              Signature Coverage:50%
                                                                              Total number of Nodes:6
                                                                              Total number of Limit Nodes:0

                                                                              Executed Functions

                                                                              Function 00007FFD9B88A738 Relevance: 2.4, Strings: 1, Instructions: 1137COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 22 7ffd9b88a738-7ffd9b88dfa3 24 7ffd9b88dfa5-7ffd9b88dfb0 call 7ffd9b880a38 22->24 25 7ffd9b88dfed-7ffd9b88e000 22->25 29 7ffd9b88dfb5-7ffd9b88e000 24->29 27 7ffd9b88e076 25->27 28 7ffd9b88e002-7ffd9b88e01f 25->28 30 7ffd9b88e07b-7ffd9b88e090 27->30 28->30 32 7ffd9b88e021-7ffd9b88e071 call 7ffd9b88c100 28->32 29->27 29->28 37 7ffd9b88e0ae-7ffd9b88e0c3 30->37 38 7ffd9b88e092-7ffd9b88e0a9 call 7ffd9b8811f8 call 7ffd9b880a48 30->38 59 7ffd9b88ec3e-7ffd9b88ec4c 32->59 45 7ffd9b88e0c5-7ffd9b88e0f5 call 7ffd9b8811f8 37->45 46 7ffd9b88e0fa-7ffd9b88e10f 37->46 38->59 45->59 55 7ffd9b88e111-7ffd9b88e11d call 7ffd9b88b848 46->55 56 7ffd9b88e122-7ffd9b88e137 46->56 55->59 65 7ffd9b88e139-7ffd9b88e13c 56->65 66 7ffd9b88e17d-7ffd9b88e192 56->66 65->27 67 7ffd9b88e142-7ffd9b88e14d 65->67 71 7ffd9b88e1d3-7ffd9b88e1e8 66->71 72 7ffd9b88e194-7ffd9b88e197 66->72 67->27 70 7ffd9b88e153-7ffd9b88e178 call 7ffd9b880a20 call 7ffd9b88b848 67->70 70->59 79 7ffd9b88e215-7ffd9b88e22a 71->79 80 7ffd9b88e1ea-7ffd9b88e1ed 71->80 72->27 74 7ffd9b88e19d-7ffd9b88e1a8 72->74 74->27 77 7ffd9b88e1ae-7ffd9b88e1ce call 7ffd9b880a20 call 7ffd9b88a788 74->77 77->59 89 7ffd9b88e230-7ffd9b88e27c call 7ffd9b8809a8 79->89 90 7ffd9b88e302-7ffd9b88e317 79->90 80->27 82 7ffd9b88e1f3-7ffd9b88e210 call 7ffd9b880a20 call 7ffd9b88a790 80->82 82->59 89->27 123 7ffd9b88e282-7ffd9b88e2ba call 7ffd9b8874d0 89->123 98 7ffd9b88e336-7ffd9b88e34b 90->98 99 7ffd9b88e319-7ffd9b88e31c 90->99 107 7ffd9b88e36d-7ffd9b88e382 98->107 108 7ffd9b88e34d-7ffd9b88e350 98->108 99->27 100 7ffd9b88e322-7ffd9b88e331 call 7ffd9b88a768 99->100 100->59 114 7ffd9b88e3a2-7ffd9b88e3b7 107->114 115 7ffd9b88e384-7ffd9b88e39d 107->115 108->27 109 7ffd9b88e356-7ffd9b88e368 call 7ffd9b88a768 108->109 109->59 120 7ffd9b88e3d7-7ffd9b88e3ec 114->120 121 7ffd9b88e3b9-7ffd9b88e3d2 114->121 115->59 126 7ffd9b88e40c-7ffd9b88e421 120->126 127 7ffd9b88e3ee-7ffd9b88e407 120->127 121->59 123->27 140 7ffd9b88e2c0-7ffd9b88e2fd call 7ffd9b88b878 123->140 133 7ffd9b88e44a-7ffd9b88e45f 126->133 134 7ffd9b88e423-7ffd9b88e426 126->134 127->59 141 7ffd9b88e465-7ffd9b88e4dd 133->141 142 7ffd9b88e4ff-7ffd9b88e514 133->142 134->27 135 7ffd9b88e42c-7ffd9b88e445 134->135 135->59 140->59 141->27 169 7ffd9b88e4e3-7ffd9b88e4fa 141->169 148 7ffd9b88e516-7ffd9b88e527 142->148 149 7ffd9b88e52c-7ffd9b88e541 142->149 148->59 156 7ffd9b88e547-7ffd9b88e560 149->156 157 7ffd9b88e5e1-7ffd9b88e5f6 149->157 156->157 163 7ffd9b88e5f8-7ffd9b88e609 157->163 164 7ffd9b88e60e-7ffd9b88e623 157->164 163->59 170 7ffd9b88e625-7ffd9b88e65f call 7ffd9b880d10 call 7ffd9b88c100 164->170 171 7ffd9b88e664-7ffd9b88e679 164->171 169->59 170->59 175 7ffd9b88e67f-7ffd9b88e71b call 7ffd9b880d10 call 7ffd9b88c100 171->175 176 7ffd9b88e720-7ffd9b88e735 171->176 175->59 182 7ffd9b88e73b-7ffd9b88e73e 176->182 183 7ffd9b88e7c3-7ffd9b88e7d8 176->183 184 7ffd9b88e7b8-7ffd9b88e7bd 182->184 185 7ffd9b88e740-7ffd9b88e74b 182->185 190 7ffd9b88e7da-7ffd9b88e7e7 call 7ffd9b88c100 183->190 191 7ffd9b88e7ec-7ffd9b88e801 183->191 199 7ffd9b88e7be 184->199 185->184 188 7ffd9b88e74d-7ffd9b88e7b6 call 7ffd9b880d10 call 7ffd9b88c100 185->188 188->199 190->59 203 7ffd9b88e842-7ffd9b88e857 191->203 204 7ffd9b88e803-7ffd9b88e83d call 7ffd9b880d10 call 7ffd9b88c100 191->204 199->59 211 7ffd9b88e85d-7ffd9b88e86e 203->211 212 7ffd9b88e8e2-7ffd9b88e8f7 203->212 204->59 211->27 221 7ffd9b88e874-7ffd9b88e884 call 7ffd9b880a18 211->221 223 7ffd9b88e937-7ffd9b88e94c 212->223 224 7ffd9b88e8f9-7ffd9b88e8fc 212->224 233 7ffd9b88e886-7ffd9b88e8bb call 7ffd9b88c100 221->233 234 7ffd9b88e8c0-7ffd9b88e8dd call 7ffd9b880a18 call 7ffd9b880a20 call 7ffd9b88a740 221->234 235 7ffd9b88e94e-7ffd9b88e98d call 7ffd9b888d40 call 7ffd9b88bdb8 call 7ffd9b88a748 223->235 236 7ffd9b88e992-7ffd9b88e9a7 223->236 224->27 227 7ffd9b88e902-7ffd9b88e932 call 7ffd9b880a10 call 7ffd9b880a20 call 7ffd9b88a740 224->227 227->59 233->59 234->59 235->59 253 7ffd9b88e9a9-7ffd9b88ea0c call 7ffd9b880d10 call 7ffd9b88c100 236->253 254 7ffd9b88ea11-7ffd9b88ea26 236->254 253->59 254->59 273 7ffd9b88ea2c-7ffd9b88eb46 call 7ffd9b88b888 call 7ffd9b88b898 call 7ffd9b88b8a8 call 7ffd9b88b8b8 call 7ffd9b8881b8 call 7ffd9b88b8c8 call 7ffd9b88b898 call 7ffd9b88b8a8 254->273 309 7ffd9b88ebb7-7ffd9b88ebcc call 7ffd9b880d10 273->309 310 7ffd9b88eb48-7ffd9b88eb4c 273->310 312 7ffd9b88ebcd-7ffd9b88ec3d call 7ffd9b880a28 call 7ffd9b88c100 309->312 310->312 313 7ffd9b88eb4e-7ffd9b88ebad call 7ffd9b88b8d8 call 7ffd9b88b8e8 310->313 312->59 313->309
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2973372104.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ffd9b880000_BootstrapperV1.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID: 0-3916222277
                                                                              • Opcode ID: ce939926d2650494687a24157acefdc49dcad567d4f955b5545bfe38010fd2e9
                                                                              • Instruction ID: 59d076337c9206c359b9d3e46a7c7297b186e6b66720fe341fd27c7a8ff33dfe
                                                                              • Opcode Fuzzy Hash: ce939926d2650494687a24157acefdc49dcad567d4f955b5545bfe38010fd2e9
                                                                              • Instruction Fuzzy Hash: C6727F30F1D90E4FEBA8EB788465A7972D2EF9C311B514578D42EC36E6DE38E9428740
                                                                              Function 00007FFD9B8816E9 Relevance: 1.8, Strings: 1, Instructions: 522COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2973372104.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ffd9b880000_BootstrapperV1.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: CAO_^
                                                                              • API String ID: 0-3111533842
                                                                              • Opcode ID: f7c60bd589b3d10ee1abf2e71bd37eb499accf07fa08a1b383b9e56c7522a764
                                                                              • Instruction ID: 3dc587c5949043acd8127ce0d592ccca4be54286d7b32d6df62b6976df25c757
                                                                              • Opcode Fuzzy Hash: f7c60bd589b3d10ee1abf2e71bd37eb499accf07fa08a1b383b9e56c7522a764
                                                                              • Instruction Fuzzy Hash: 4FF1BE70B29A494FE7A8FB7C88696B977D2FF8C710F410479E45AC32D6DE38A8018741
                                                                              Function 00007FFD9B887871 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 473 7ffd9b887871-7ffd9b88792d CheckRemoteDebuggerPresent 477 7ffd9b88792f 473->477 478 7ffd9b887935-7ffd9b887978 473->478 477->478
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2973372104.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ffd9b880000_BootstrapperV1.jbxd
                                                                              Similarity
                                                                              • API ID: CheckDebuggerPresentRemote
                                                                              • String ID:
                                                                              • API String ID: 3662101638-0
                                                                              • Opcode ID: cc3c20a4c3a85a23a32611e5506239f1685b3527c541c2feeb12746f260179b5
                                                                              • Instruction ID: 0da6cd42be01504d385dbfb824860025fd9a4d482c12c20522daaa284c41ba92
                                                                              • Opcode Fuzzy Hash: cc3c20a4c3a85a23a32611e5506239f1685b3527c541c2feeb12746f260179b5
                                                                              • Instruction Fuzzy Hash: C431133190875C8FCB58DF58C886BE97BF0EF69311F0542ABD489D7292DB34A846CB91
                                                                              Function 00007FFD9B885F31 Relevance: .4, Instructions: 397COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2973372104.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ffd9b880000_BootstrapperV1.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 56054ce362e1136e2defa369b081be221bf8908b0fd06ef8d5fc0d3a66049ea5
                                                                              • Instruction ID: d06fcb18fb0cb70df7569df23728cf54803b4e730311250711521422f13d73f4
                                                                              • Opcode Fuzzy Hash: 56054ce362e1136e2defa369b081be221bf8908b0fd06ef8d5fc0d3a66049ea5
                                                                              • Instruction Fuzzy Hash: D2D17370A18E4E8FEBA8DF28C8557E977E1FF58310F44426AE81DC7295DF34A9448B81
                                                                              Function 00007FFD9B882181 Relevance: .4, Instructions: 394COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2973372104.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ffd9b880000_BootstrapperV1.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f62561c9c89cddf7239d487f4ee244062294e90ffcf65c5c0d70806813e94ae1
                                                                              • Instruction ID: 91d2e1cd88c66b3425abcaa9f30f3167109d45bbbb2fa91f5de89c8eb22bb615
                                                                              • Opcode Fuzzy Hash: f62561c9c89cddf7239d487f4ee244062294e90ffcf65c5c0d70806813e94ae1
                                                                              • Instruction Fuzzy Hash: 10C18660B1DD4A4FEBA8EFAC887567976D1FF9C300F150179E06EC32E6DE28A9424741
                                                                              Function 00007FFD9B886CE1 Relevance: .4, Instructions: 380COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2973372104.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ffd9b880000_BootstrapperV1.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f2c39aa368f5a6c0ac0ad040b1f7c12b301075988f7d8f21fc743593b70b2e3a
                                                                              • Instruction ID: 24a5ae36cea853ce501d62932b461cb6d295fec8ac913cd9c78a22fe5ae8cfb1
                                                                              • Opcode Fuzzy Hash: f2c39aa368f5a6c0ac0ad040b1f7c12b301075988f7d8f21fc743593b70b2e3a
                                                                              • Instruction Fuzzy Hash: 4FD17170A08E4E8FEBA8DF28C8657E977E1FF58310F14826AD81DC7295DE7499408B81
                                                                              Function 00007FFD9B881EF9 Relevance: .2, Instructions: 194COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2973372104.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ffd9b880000_BootstrapperV1.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 91c846b88b7fbc998ac99ab27704451853b6f4aca500ea5401ce49d6035f2d42
                                                                              • Instruction ID: fe57ca3d35bdbfee7057731b8d36f072717520e361fb76a98d024c2e4d76a9b8
                                                                              • Opcode Fuzzy Hash: 91c846b88b7fbc998ac99ab27704451853b6f4aca500ea5401ce49d6035f2d42
                                                                              • Instruction Fuzzy Hash: CF51DF10B1EAC90FD796AB785875665BFD5EF8A219B0800FAE09DC71E7DE185806C342
                                                                              Function 00007FFD9B889BB8 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 459 7ffd9b889bb8-7ffd9b889bbf 460 7ffd9b889bca-7ffd9b889c3d 459->460 461 7ffd9b889bc1-7ffd9b889bc9 459->461 465 7ffd9b889cc9-7ffd9b889ccd 460->465 466 7ffd9b889c43-7ffd9b889c50 460->466 461->460 467 7ffd9b889c52-7ffd9b889c8f SetWindowsHookExW 465->467 466->467 468 7ffd9b889c97-7ffd9b889cc8 467->468 469 7ffd9b889c91 467->469 469->468
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2973372104.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ffd9b880000_BootstrapperV1.jbxd
                                                                              Similarity
                                                                              • API ID: HookWindows
                                                                              • String ID:
                                                                              • API String ID: 2559412058-0
                                                                              • Opcode ID: ac24d95d063b35178a49e93cd31e235e1639bed968ef91c42cdcb181f35f2f1c
                                                                              • Instruction ID: 437e93f4f8ca5584d850512a1bdaac409481b66ca6f385356bcc16a7d82a6835
                                                                              • Opcode Fuzzy Hash: ac24d95d063b35178a49e93cd31e235e1639bed968ef91c42cdcb181f35f2f1c
                                                                              • Instruction Fuzzy Hash: 0D411630A0CA5D8FDB58DF6C981A6F9BBE1EF59321F00027ED059C3292DA75A812C781

                                                                              Non-executed Functions

                                                                              Function 00007FFD9B8810FA Relevance: 3.1, Strings: 2, Instructions: 644COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2973372104.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ffd9b880000_BootstrapperV1.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 2O_$3O_^
                                                                              • API String ID: 0-4021006474
                                                                              • Opcode ID: 648b7324d3ef36694003a1a148815b239d31a69804571a9ed2d044ff7c3bee90
                                                                              • Instruction ID: 2840887614efe40b205d87270edc50046a0e3ba78e581f5b9621e0194ea127df
                                                                              • Opcode Fuzzy Hash: 648b7324d3ef36694003a1a148815b239d31a69804571a9ed2d044ff7c3bee90
                                                                              • Instruction Fuzzy Hash: 2212F757B0FAD64FE322B7A968750D57F50DF9622570A00F7C1E9CB0E3DD18290A83A1

                                                                              Executed Functions

                                                                              Function 00007FFD9B956605 Relevance: .4, Instructions: 439COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1778154670.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 50e3ffd07015b955b4024a49f6513e05cafddc781951966884fad4a15a2c8ff4
                                                                              • Instruction ID: 1a6b90c8cc76e4005f162e6d7f867b47c9632f1698d8d025e14633e5eca580a4
                                                                              • Opcode Fuzzy Hash: 50e3ffd07015b955b4024a49f6513e05cafddc781951966884fad4a15a2c8ff4
                                                                              • Instruction Fuzzy Hash: CED14832A2FB8E1FEBA59BA848644B57BE0EF56310B0901FED45DC70E3DA58AC05C341
                                                                              Function 00007FFD9B889EF3 Relevance: .3, Instructions: 278COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1777790726.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 658ebaeb2379791bdc0e490a16dcc44a2bdb473e4ef2eb7a1a87c48046015a37
                                                                              • Instruction ID: 1e7fbcd74ce8865db9b6d98c8a01fc81f4710a007f61e97c5d2b923952233655
                                                                              • Opcode Fuzzy Hash: 658ebaeb2379791bdc0e490a16dcc44a2bdb473e4ef2eb7a1a87c48046015a37
                                                                              • Instruction Fuzzy Hash: 9A718263B0BE9A5BE71657ADEC7A4D437A0EF11759B0901B3C5E98F0A3FC2425174382
                                                                              Function 00007FFD9B889738 Relevance: .1, Instructions: 143COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1777790726.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9274ba72817a6ef812e20b27d9eeec43b9378a68ff215cf7751313d6d03c3d84
                                                                              • Instruction ID: 6fc67f9665d5889de750cb33ee9329ac210595246472503a6bded458e1943209
                                                                              • Opcode Fuzzy Hash: 9274ba72817a6ef812e20b27d9eeec43b9378a68ff215cf7751313d6d03c3d84
                                                                              • Instruction Fuzzy Hash: 6D412B71A0DE8C8FDB589F5C981A6A87BE0FB99310F40416FE45893252DA70B805CBC2
                                                                              Function 00007FFD9B76E384 Relevance: .1, Instructions: 124COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1777401782.00007FFD9B76D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b76d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3e5b11eedb313c9588a3451c8d209a48feeafddb7f35d165d480e6b94cd5bc6e
                                                                              • Instruction ID: 30ec66e30e66a6c9da35e71b4ea25969b5fe0d60da727a91ce5efefd4bef6f12
                                                                              • Opcode Fuzzy Hash: 3e5b11eedb313c9588a3451c8d209a48feeafddb7f35d165d480e6b94cd5bc6e
                                                                              • Instruction Fuzzy Hash: AD41267050EBC88FE7568B2998559523FF0EF52310B1606EFE088CB1B3D625A846C7A3
                                                                              Function 00007FFD9B88A47C Relevance: .1, Instructions: 100COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1777790726.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ec09c1bd55467bcb59ad0a0d75523d0a590285e10bafbfbdfd6cf3714fbd2582
                                                                              • Instruction ID: d6eb638180ea81a3bebe192a08025b2c338da0db9d7cb06ccd2010a19e860fdc
                                                                              • Opcode Fuzzy Hash: ec09c1bd55467bcb59ad0a0d75523d0a590285e10bafbfbdfd6cf3714fbd2582
                                                                              • Instruction Fuzzy Hash: 89214C3090CB4C8FDB59DFAC984A7E97FF0EB9A320F04416BD448C3166DA74941ACB92
                                                                              Function 00007FFD9B8833B5 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1777790726.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction ID: 7942ddcb7b366def54c675fdc0a42c1b9c7b229ae68d60287c1eb1a1f3edd8da
                                                                              • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction Fuzzy Hash: 9001A73020CB0C4FD748EF0CE451AA6B3E0FB89320F10056DE58AC36A1DA32E882CB41
                                                                              Function 00007FFD9B95414D Relevance: .0, Instructions: 37COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1778154670.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0f12c3ca706bd90e4a6bd2c24f54174b913bdbb8b78bd1cfd2fb4760190f2314
                                                                              • Instruction ID: 28bb23a967d841024d5c6be5c5fbc1adfe9fa7950b3970e9dfb00dbc038157dc
                                                                              • Opcode Fuzzy Hash: 0f12c3ca706bd90e4a6bd2c24f54174b913bdbb8b78bd1cfd2fb4760190f2314
                                                                              • Instruction Fuzzy Hash: 9BF0BE32B4E5498FD7A8EA9CE4519E873E0EF65320B1640BAE06DC72B7CA25EC41C741
                                                                              Function 00007FFD9B954400 Relevance: .0, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1778154670.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d48fd6a8806828cbf3084cea4ee9bafb79648d2541a87ea29e08a120dfc52e4b
                                                                              • Instruction ID: 028c1c1bd505adbacf382e7eeb127e83b47d28b596b48335033f690840e35e75
                                                                              • Opcode Fuzzy Hash: d48fd6a8806828cbf3084cea4ee9bafb79648d2541a87ea29e08a120dfc52e4b
                                                                              • Instruction Fuzzy Hash: 8DF0BE32A8E5498FD7A8EA9CE0609A873E0FF0532074600BAE05DCB1A7CA25BC40C740
                                                                              Function 00007FFD9B9541D1 Relevance: .0, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1778154670.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                              • Instruction ID: ef0e477c3a8d88fbc3791122f3f41a252fcdd9f92c2fd245001ca178e7a9b1aa
                                                                              • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                              • Instruction Fuzzy Hash: A8E0123175C4089FDAB8DA8CE0519A973E1EBA832171141BBD14EC7675CA21ED518B80

                                                                              Non-executed Functions

                                                                              Function 00007FFD9B888BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1777790726.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: N_^4$N_^7$N_^F$N_^J
                                                                              • API String ID: 0-3508309026
                                                                              • Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                              • Instruction ID: 3d73ddd26afee8af5c4e977c855be3ba5e549368567e4c73e868d7912246f78f
                                                                              • Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                              • Instruction Fuzzy Hash: B32107B77084358ED30A7BBCBD289D93740DB9423874501B3D2A9CB183E914608786C1

                                                                              Executed Functions

                                                                              Function 00007FFD9B96660A Relevance: .4, Instructions: 426COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1870142961.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffd9b960000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 526f17fdd103035fd827f47e93e5def20de09d4bb3ad583555ab251a841d4c8a
                                                                              • Instruction ID: 3bac84eeebc4d1bb79a427e85be5b63ce97f4d348727a6fdbb42b77b8bf30028
                                                                              • Opcode Fuzzy Hash: 526f17fdd103035fd827f47e93e5def20de09d4bb3ad583555ab251a841d4c8a
                                                                              • Instruction Fuzzy Hash: 37C15932A2FA8E9FEBA5DB6858655B57BD0EF55310F0901BED05DC70E3DA18AD01C341
                                                                              Function 00007FFD9B89B258 Relevance: .4, Instructions: 359COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1868713882.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d6c44f8daf6152929677ecd3ba62611ee4e9e59fc37d5475422045c8b08e7008
                                                                              • Instruction ID: 2e9857e406d0c373dd94c39b5e25e06329598ba93124388fd4b5b04df23e31bd
                                                                              • Opcode Fuzzy Hash: d6c44f8daf6152929677ecd3ba62611ee4e9e59fc37d5475422045c8b08e7008
                                                                              • Instruction Fuzzy Hash: 97B16870A1DB898FDB58DF5CC895AB57BE0FF99310F10017ED08AC32A6DA25E846CB41
                                                                              Function 00007FFD9B96664A Relevance: .3, Instructions: 259COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1870142961.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffd9b960000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0878de2d375a7dfdf153a8a65f23139be77ba35765163a2ab77888aae36564a8
                                                                              • Instruction ID: b994cfa28a8012370c30205f7b067c4c3f620d2495709a52f371a758054c2ffa
                                                                              • Opcode Fuzzy Hash: 0878de2d375a7dfdf153a8a65f23139be77ba35765163a2ab77888aae36564a8
                                                                              • Instruction Fuzzy Hash: 5C812422B2FB8A9FEBB997A848745B47BD1EF11300B4A01FEC05CCB0E7D918AC008341
                                                                              Function 00007FFD9B899750 Relevance: .1, Instructions: 147COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1868713882.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 07e055cc34eca33c1e13c08639d9f416c30f8d739e2eac9e14cc4bd6d657b6b5
                                                                              • Instruction ID: cdc2250ec02a8f45eef5b8aa80452f3d21d0599f56ea6db96cf2c09d708651d1
                                                                              • Opcode Fuzzy Hash: 07e055cc34eca33c1e13c08639d9f416c30f8d739e2eac9e14cc4bd6d657b6b5
                                                                              • Instruction Fuzzy Hash: 32412871A0DB888FDB189F5C9C0A6A97FF0EB59311F0441AFE099C3292CA24A905C7C2
                                                                              Function 00007FFD9B77ED40 Relevance: .1, Instructions: 124COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1867906679.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffd9b77d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 96f09e51a5d35f5ba130b53534019c9544a83d931c26c1897a33029f54452068
                                                                              • Instruction ID: 3b9e5debf2d97f8dffded1967cb878b018cd120389cfaead03aca8ee3cbfd82f
                                                                              • Opcode Fuzzy Hash: 96f09e51a5d35f5ba130b53534019c9544a83d931c26c1897a33029f54452068
                                                                              • Instruction Fuzzy Hash: B141193040EBC44FE7569B2898959523FF4EF57320B1606DFD088CB1B3D629A846C792
                                                                              Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1868713882.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                              • Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
                                                                              • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                              • Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41
                                                                              Function 00007FFD9B89A0FB Relevance: .0, Instructions: 42COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1868713882.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fdaa9238bf04b371c5cfaa455c330d207ed3d73190ee457c3613ab2ca8821ac6
                                                                              • Instruction ID: 4f94683101717c6446076df272a36d13774ffdefc315ef6df46a586bb9497e05
                                                                              • Opcode Fuzzy Hash: fdaa9238bf04b371c5cfaa455c330d207ed3d73190ee457c3613ab2ca8821ac6
                                                                              • Instruction Fuzzy Hash: 7BF0FC3AB1AA8C5FEB91EF1CD8654E87FA0FF5A315B0502B7D449C7071DE3195488B82
                                                                              Function 00007FFD9B96414D Relevance: .0, Instructions: 37COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1870142961.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffd9b960000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b556082a0c4808975d4fc78b5b65b14ce8d9cf3c3fa3614dbdfb4ff18b782d2b
                                                                              • Instruction ID: 8d7637e51b886dc4bfd8f4962ece14714b6a7df1f81a4f6eb19f5047b2e218ce
                                                                              • Opcode Fuzzy Hash: b556082a0c4808975d4fc78b5b65b14ce8d9cf3c3fa3614dbdfb4ff18b782d2b
                                                                              • Instruction Fuzzy Hash: 9DF0BE32B0E5498FD768EB9CE4519E873E0EF6532071640BAE06DC72B3CA25EC41C741
                                                                              Function 00007FFD9B964400 Relevance: .0, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1870142961.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffd9b960000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c671067ca943b75b2bdacfce0b721934b48cc2f5b9f6d5a72a0071d818ab5cf1
                                                                              • Instruction ID: 37b36513034b6ad6aff8b357b4ed0f30b440f5868c89af53f738a894d4a245ec
                                                                              • Opcode Fuzzy Hash: c671067ca943b75b2bdacfce0b721934b48cc2f5b9f6d5a72a0071d818ab5cf1
                                                                              • Instruction Fuzzy Hash: 75F0BE32A0E5498FD769EB9CE0619A873E0FF0532074600BAE05DCB1A3CA26AC40C740
                                                                              Function 00007FFD9B9641D1 Relevance: .0, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1870142961.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffd9b960000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                              • Instruction ID: c307260e9cdd7784a7691b08768f083a0fcbbbef75ed33e7c580895a31fc6b9b
                                                                              • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                              • Instruction Fuzzy Hash: ADE01A31B1C808DFDA78DA8CE051AE973E1EBA832171241BBD14EC7671CA22ED518B80

                                                                              Non-executed Functions

                                                                              Function 00007FFD9B898BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1868713882.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                                              • API String ID: 0-962139525
                                                                              • Opcode ID: 32ba26589fa0e7a62dd8a312b3dc4cc8d233eb561294beb8cf2edc3a6d3793b8
                                                                              • Instruction ID: ad9997269ca045c2f6f29c292932e0e691c5b571fa522245f23bec43a457ca72
                                                                              • Opcode Fuzzy Hash: 32ba26589fa0e7a62dd8a312b3dc4cc8d233eb561294beb8cf2edc3a6d3793b8
                                                                              • Instruction Fuzzy Hash: 2021C2B3B04525CAD30A36ACBC559D87780DF5437938603F3E029CF193F958A48B8A81

                                                                              Executed Functions

                                                                              Function 00007FFD9B956605 Relevance: 1.7, Strings: 1, Instructions: 444COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.2018905233.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7ffd9b950000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: X78
                                                                              • API String ID: 0-2070531975
                                                                              • Opcode ID: 0f274a02b30c72e11f10c8d761cb00faeb36cdd7173e1e4182df503ad4049b1b
                                                                              • Instruction ID: ab88b8ce7de2526c1353674cc0fa35cd26895a06ce9bdb15fa38e39808bb0aa6
                                                                              • Opcode Fuzzy Hash: 0f274a02b30c72e11f10c8d761cb00faeb36cdd7173e1e4182df503ad4049b1b
                                                                              • Instruction Fuzzy Hash: 76D14732A2FB8E1FEBA59BA848744B57BA0EF16314B0901FED45DC70E3DA18AC05C341
                                                                              Function 00007FFD9B889F52 Relevance: .2, Instructions: 214COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.2018020702.00007FFD9B885000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B885000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7ffd9b885000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4f5ac26f575effe73e8ec0a7bdf54138cbdf185878c88417d459cb973bd9f966
                                                                              • Instruction ID: e305bf9046e6ff695b961c479b112620688825d50b0a69d3c2f7aa911e1de24d
                                                                              • Opcode Fuzzy Hash: 4f5ac26f575effe73e8ec0a7bdf54138cbdf185878c88417d459cb973bd9f966
                                                                              • Instruction Fuzzy Hash: A0517163B0BE994FD7165BACDC760D53B60EF16729B0901B3C1E88B0A3ED3426578382
                                                                              Function 00007FFD9B889738 Relevance: .1, Instructions: 140COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.2018020702.00007FFD9B885000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B885000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7ffd9b885000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ea291038bca7b1ac800107396097c2f4cee54b697d14386f23dd20564cbdc340
                                                                              • Instruction ID: cf9b6c0f80678d3d175d8039072c3ecf54b6e8a9e746cb95b7064936df270b17
                                                                              • Opcode Fuzzy Hash: ea291038bca7b1ac800107396097c2f4cee54b697d14386f23dd20564cbdc340
                                                                              • Instruction Fuzzy Hash: E2412B71A0DE4C8FDB58AF5C984A6AC7BE0FF99310F00416FE45983292DB30A905CBC2
                                                                              Function 00007FFD9B76E540 Relevance: .1, Instructions: 123COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.2016885066.00007FFD9B76D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7ffd9b76d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 061d2e4d79eb124b3e1b13278e903b37ac22c78b29e112dd101bf96a08ecd946
                                                                              • Instruction ID: 4b1a432e94e7a2351a8a1cc2ddb4f7eab72182286f58d6cb2c5cebbe55ac8830
                                                                              • Opcode Fuzzy Hash: 061d2e4d79eb124b3e1b13278e903b37ac22c78b29e112dd101bf96a08ecd946
                                                                              • Instruction Fuzzy Hash: B341E57040EBC48FE7569B399C519523FF0EF52224B1A06DFD088CB1B7D625A846C7A2
                                                                              Function 00007FFD9B88A47C Relevance: .1, Instructions: 99COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.2018020702.00007FFD9B885000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B885000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7ffd9b885000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 94fc40e7fa4507e0825259735fd0cc218c15fdc0288af5828a63052e7664d12d
                                                                              • Instruction ID: ea457e6f7d95266bdb542b541fa4187523303e99917800a1869912ab9f48e723
                                                                              • Opcode Fuzzy Hash: 94fc40e7fa4507e0825259735fd0cc218c15fdc0288af5828a63052e7664d12d
                                                                              • Instruction Fuzzy Hash: CF212B3090CB4C8FDB59DBAC984A7E97FE0EB5A320F04416BD048C31A2DA749416CB91
                                                                              Function 00007FFD9B8833B5 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.2018020702.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7ffd9b880000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction ID: 7942ddcb7b366def54c675fdc0a42c1b9c7b229ae68d60287c1eb1a1f3edd8da
                                                                              • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction Fuzzy Hash: 9001A73020CB0C4FD748EF0CE451AA6B3E0FB89320F10056DE58AC36A1DA32E882CB41
                                                                              Function 00007FFD9B95414D Relevance: .0, Instructions: 37COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.2018905233.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7ffd9b950000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 47eb89e38e3f87612cae5d00e51cb978436f4b8fee9d90acb15735ee7993a708
                                                                              • Instruction ID: 3a3c21e483923a3ed997106dbec21c7a0b7a8dab6ea743698238f381705e954c
                                                                              • Opcode Fuzzy Hash: 47eb89e38e3f87612cae5d00e51cb978436f4b8fee9d90acb15735ee7993a708
                                                                              • Instruction Fuzzy Hash: 83F0B432B4D5098FD7A8EA9CE4519E473E0EF65320B1640BAE06DC71B7CA25EC40C741
                                                                              Function 00007FFD9B954400 Relevance: .0, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.2018905233.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7ffd9b950000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e81dfae863ba3d45a4c5d0dcef2ad6beb40250e951fd06ddd1263c75ff618015
                                                                              • Instruction ID: 0aa55bebb50f60faba5cf0ea934d35d6018dd68991782b3e4b24f7d178cd41a1
                                                                              • Opcode Fuzzy Hash: e81dfae863ba3d45a4c5d0dcef2ad6beb40250e951fd06ddd1263c75ff618015
                                                                              • Instruction Fuzzy Hash: 2AF0B431A4D5498FD794EA9CE0609A873E0EF0532074600BAE05DCB1A7CA25BC40C740
                                                                              Function 00007FFD9B9541D1 Relevance: .0, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.2018905233.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7ffd9b950000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                              • Instruction ID: ef0e477c3a8d88fbc3791122f3f41a252fcdd9f92c2fd245001ca178e7a9b1aa
                                                                              • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                              • Instruction Fuzzy Hash: A8E0123175C4089FDAB8DA8CE0519A973E1EBA832171141BBD14EC7675CA21ED518B80

                                                                              Non-executed Functions

                                                                              Function 00007FFD9B888995 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.2018020702.00007FFD9B885000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B885000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7ffd9b885000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: N_^$N_^$N_^$N_^
                                                                              • API String ID: 0-3900292545
                                                                              • Opcode ID: 8f3cfcc2526b317a43dc642a504cad7a03067f244bd87dc777abc708bb7dec2a
                                                                              • Instruction ID: 26e51f075560f4976049f63d62f1594eb11f56b877670b1b57b3550b3ff7076e
                                                                              • Opcode Fuzzy Hash: 8f3cfcc2526b317a43dc642a504cad7a03067f244bd87dc777abc708bb7dec2a
                                                                              • Instruction Fuzzy Hash: 0C419092A0FAD61FE76647698C790956FA0EF1675470E02F7C1E98B0E3ED2825078353
                                                                              Function 00007FFD9B888BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.2018020702.00007FFD9B885000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B885000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7ffd9b885000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: N_^4$N_^7$N_^F$N_^J
                                                                              • API String ID: 0-3508309026
                                                                              • Opcode ID: dabbe24802d554556fd15f6229eae3468619220f0459efd10296f077a3207134
                                                                              • Instruction ID: 3d73ddd26afee8af5c4e977c855be3ba5e549368567e4c73e868d7912246f78f
                                                                              • Opcode Fuzzy Hash: dabbe24802d554556fd15f6229eae3468619220f0459efd10296f077a3207134
                                                                              • Instruction Fuzzy Hash: B32107B77084358ED30A7BBCBD289D93740DB9423874501B3D2A9CB183E914608786C1

                                                                              Executed Functions

                                                                              Function 00007FFD9B976605 Relevance: .4, Instructions: 443COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2215757434.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ffd9b970000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 15fd003723520c498e0b5321677922b6863f8e1a17283b0233686905bd1c06dd
                                                                              • Instruction ID: d5929a6605239cf3a40b19a918506cb944cb7cc198cb8a2a7691fc2e723775e6
                                                                              • Opcode Fuzzy Hash: 15fd003723520c498e0b5321677922b6863f8e1a17283b0233686905bd1c06dd
                                                                              • Instruction Fuzzy Hash: 5BD13722A1FB8D1FEBA5DB6848A55B57BE0EF16254B0901FED05DCB0E3DA18A9058341
                                                                              Function 00007FFD9B8A9750 Relevance: .1, Instructions: 142COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2214736648.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ffd9b8a0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e1a0800db10379f027633dc8b1ec5a6f75c739df95ccce64aafdbb422fa02553
                                                                              • Instruction ID: 734c6fe43bc867ec9d9b3e31dc66352cb4a0113c8ff7806134fba865768f97f5
                                                                              • Opcode Fuzzy Hash: e1a0800db10379f027633dc8b1ec5a6f75c739df95ccce64aafdbb422fa02553
                                                                              • Instruction Fuzzy Hash: A5413A7190DB888FDB18DF5C9C0A6A87FE0FB5A310F04416FE499C3292DA60B915CBC2
                                                                              Function 00007FFD9B78E620 Relevance: .1, Instructions: 123COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2213649706.00007FFD9B78D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ffd9b78d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 03347c520cc399da02e7915f525d04e4aa699cdb4a25bfc4ae0b8c48046bcaed
                                                                              • Instruction ID: 482f1402b3cd6b5348284c5bbe9e66529413ce4202c0fe6bd87e935764c017b1
                                                                              • Opcode Fuzzy Hash: 03347c520cc399da02e7915f525d04e4aa699cdb4a25bfc4ae0b8c48046bcaed
                                                                              • Instruction Fuzzy Hash: 8F41347150EBC44FE7568B28D8959523FF0EF52320B1A02DFD088CB1B3D729A846C7A2
                                                                              Function 00007FFD9B8AA49C Relevance: .1, Instructions: 100COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2214736648.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ffd9b8a0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 19cbcc1190362a5c4ac85e7134a200263a6aeb327a21b2ae6f1d2580cf983f96
                                                                              • Instruction ID: 740f37d3fc87f628311d903524d62752a56fef760e8511defe3296d094be4921
                                                                              • Opcode Fuzzy Hash: 19cbcc1190362a5c4ac85e7134a200263a6aeb327a21b2ae6f1d2580cf983f96
                                                                              • Instruction Fuzzy Hash: E221F63190C74C4FDB59DBAC988A7E97FE0EB96321F04416BD448C3166DA74A81ACB92
                                                                              Function 00007FFD9B8A33B5 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2214736648.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ffd9b8a0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                              • Instruction ID: 2d8e5c199f5335979778887b622e34919a8febb75adba4d6537578fae4bb4e89
                                                                              • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                              • Instruction Fuzzy Hash: 8601677121CB0D4FD748EF0CE451AA6B7E0FB99364F10056DE58AC36A5DA36E882CB45
                                                                              Function 00007FFD9B8AA0FB Relevance: .0, Instructions: 41COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2214736648.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ffd9b8a0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b13eed62f6c8973fd2bda75e266ff39ca74fa75627d5159124cd02b23af15129
                                                                              • Instruction ID: 47f25ed03b015c90883cfab8048cfe85ff5ba9937abb97d0dbac18cc133209cc
                                                                              • Opcode Fuzzy Hash: b13eed62f6c8973fd2bda75e266ff39ca74fa75627d5159124cd02b23af15129
                                                                              • Instruction Fuzzy Hash: 7CF0F67660AA8C5FDB51DF2C98690E47FA0FF66201B0501ABD449C7061DA715948C7C2
                                                                              Function 00007FFD9B97414D Relevance: .0, Instructions: 37COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2215757434.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ffd9b970000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7293a2339f461a3556818f52ba56bb4a71fb8fdb701018cfb96c05c7e27bfb60
                                                                              • Instruction ID: 4fde40695b0f4246870b30fd2f6bc2b6a916cb90139b9304e01ee9d88000a30e
                                                                              • Opcode Fuzzy Hash: 7293a2339f461a3556818f52ba56bb4a71fb8fdb701018cfb96c05c7e27bfb60
                                                                              • Instruction Fuzzy Hash: B6F0B432B1D5098FD768EA5CE4519A873E0EF6533071640BAE06DC75B3CA25EC40C745
                                                                              Function 00007FFD9B974400 Relevance: .0, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2215757434.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ffd9b970000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 047323910a2ec949f22d693361eefda808f38aba0f60a4411fa9abc428e9256c
                                                                              • Instruction ID: 61a7cbaa71c2b40844e11a7151f3969eb5ca7f9ebccc363c51840d2dbd0ec2a7
                                                                              • Opcode Fuzzy Hash: 047323910a2ec949f22d693361eefda808f38aba0f60a4411fa9abc428e9256c
                                                                              • Instruction Fuzzy Hash: DEF0BE32A0E5498FD764EA5CE4A09A873E0EF05320B5600FAE05DCB1B3CA26AC40C740
                                                                              Function 00007FFD9B9741D1 Relevance: .0, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2215757434.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ffd9b970000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                              • Instruction ID: 664ee9e526855705bcffdcfcbd412457206555aceccb5f816b9e306c4c7c1cf4
                                                                              • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                              • Instruction Fuzzy Hash: 43E0123171C4089FD678EA4CE0919AD73E5EBA833171241BBD14EC7672CA21ED518B85

                                                                              Non-executed Functions

                                                                              Function 00007FFD9B8A8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2214736648.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ffd9b8a0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: L_^8$L_^<$L_^?$L_^J$L_^K$L_^N$L_^Q$L_^Y
                                                                              • API String ID: 0-1415242001
                                                                              • Opcode ID: 43fc97dd348e09cb18fe9713d6d3d241ea91d68ddf1fc4c99a3e80af88e2cd8f
                                                                              • Instruction ID: e7c9e3fbdb16d3d3ea5212ac3ffb3de1b4bcdf25e518ceaaa350289893b59a2e
                                                                              • Opcode Fuzzy Hash: 43fc97dd348e09cb18fe9713d6d3d241ea91d68ddf1fc4c99a3e80af88e2cd8f
                                                                              • Instruction Fuzzy Hash: E72107B37045258AC30A37ADBC559ED7780DF5437834551F3E228CF153EF24A48B8A80

                                                                              Executed Functions

                                                                              Function 00007FFD9B8916E9 Relevance: .5, Instructions: 523COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2401038973.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bd70dc42f755e21ef0b0a2e3d077c09f7d7fa9543f35fa0e8af370c835ccaea4
                                                                              • Instruction ID: 68fac3f6a39beeb42f857f86b1c9c710e56663eca54fcacaebe197b82ee6e318
                                                                              • Opcode Fuzzy Hash: bd70dc42f755e21ef0b0a2e3d077c09f7d7fa9543f35fa0e8af370c835ccaea4
                                                                              • Instruction Fuzzy Hash: DEF1A471B29A495FEB98FB7C84796B97BD2FF88704F410579E40EC32D6DE28A8018741
                                                                              Function 00007FFD9B890E5E Relevance: .3, Instructions: 283COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2401038973.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ba127d16e2a3f2831ee81c8f990a156dc0d9f604d174db7c6aa2d4ddf39ee841
                                                                              • Instruction ID: 5a8a5bd5d16e23df55f96a84c471d3e54c328be3c34d042f4ecf0f2d475c51b8
                                                                              • Opcode Fuzzy Hash: ba127d16e2a3f2831ee81c8f990a156dc0d9f604d174db7c6aa2d4ddf39ee841
                                                                              • Instruction Fuzzy Hash: 5681F812B1D6A60EE75BB77C68299E92F91DF8623870941FBD0CDCB1E7DC0868478352
                                                                              Function 00007FFD9B891EF9 Relevance: .2, Instructions: 194COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2401038973.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c84022d0f693f40f818d12f1769fb192997c70f5440a45687bd4b38f7133c545
                                                                              • Instruction ID: fe9c6541b08d1530f9fb44c309fd4f7d35ba720f7f73ede68ba89cd7de000fae
                                                                              • Opcode Fuzzy Hash: c84022d0f693f40f818d12f1769fb192997c70f5440a45687bd4b38f7133c545
                                                                              • Instruction Fuzzy Hash: 2451F110B1E6C90FEB96AB785874675BFD5EF8B219B0800FAE09DC71E7DE185806C342
                                                                              Function 00007FFD9B8907F2 Relevance: 2.6, Strings: 2, Instructions: 108COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2401038973.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ;N_$<N_^
                                                                              • API String ID: 0-579182416
                                                                              • Opcode ID: 34b01887e1b74a1d0653214ff2c9be4489e770dca1750e68e8cb55ecd6f21a91
                                                                              • Instruction ID: 0ef90ef35379148d8fde92db35c57865a671855df8b34c7052f75bca2be4a0c2
                                                                              • Opcode Fuzzy Hash: 34b01887e1b74a1d0653214ff2c9be4489e770dca1750e68e8cb55ecd6f21a91
                                                                              • Instruction Fuzzy Hash: BA412531B596894FE75DEBACA8B48E47FA0FFC8204B8044B6D018C73DBDD3499428782
                                                                              Function 00007FFD9B8910FA Relevance: 2.0, Strings: 1, Instructions: 701COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2401038973.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 3N_^
                                                                              • API String ID: 0-137238001
                                                                              • Opcode ID: 56c79c543212e3f9acd70dd019c56ff07ee1ec406875fbf2f39e0058d849b8dd
                                                                              • Instruction ID: f3996676e5b33e737aa9a37768c28f72215850d822c5ca7d64ee6ce79ded6041
                                                                              • Opcode Fuzzy Hash: 56c79c543212e3f9acd70dd019c56ff07ee1ec406875fbf2f39e0058d849b8dd
                                                                              • Instruction Fuzzy Hash: 4291E423F0D66A5BE72AB7ECB8655E9BF60EF85275B0901B7D189CB0E3DD1424068390
                                                                              Function 00007FFD9B8911F0 Relevance: 1.8, Strings: 1, Instructions: 574COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2401038973.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 2N_^
                                                                              • API String ID: 0-2962387604
                                                                              • Opcode ID: 394499eed941b8e8c7ef9f9348d0fb4efc750c15fb2bdc68f9665adb325ab4fc
                                                                              • Instruction ID: c6b20de65e67ff74baf84aae9f56d9da81479694ed70d4ecf514716f3653d4ba
                                                                              • Opcode Fuzzy Hash: 394499eed941b8e8c7ef9f9348d0fb4efc750c15fb2bdc68f9665adb325ab4fc
                                                                              • Instruction Fuzzy Hash: DE51E662F0D66A4FEB56B7ACAC755ED7F70EF45264B0901B7D099D70E3EC1424468380
                                                                              Function 00007FFD9B8911F2 Relevance: 1.8, Strings: 1, Instructions: 574COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2401038973.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 2N_^
                                                                              • API String ID: 0-2962387604
                                                                              • Opcode ID: 39da0848c48892c49ba5a2f8e9693503c8d728506883b690252606f7a5debf57
                                                                              • Instruction ID: 1ede6bf44bd48942ca27eb18a8e0b101610a964c05770b78a093a851be30b399
                                                                              • Opcode Fuzzy Hash: 39da0848c48892c49ba5a2f8e9693503c8d728506883b690252606f7a5debf57
                                                                              • Instruction Fuzzy Hash: 9651E362F0D66A4FEB56B7ACA8755E97FB0EF85264B0901B7D099DB0E3EC1424468380
                                                                              Function 00007FFD9B890AFB Relevance: .2, Instructions: 209COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2401038973.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 34d65d69f6bab3a184cec4ec4e889cd7eb7849627f34f2f1a3deb2ea73038562
                                                                              • Instruction ID: ab905cad7886957570c15603711311617887a9b3d3b34d1da34cf13cdf074257
                                                                              • Opcode Fuzzy Hash: 34d65d69f6bab3a184cec4ec4e889cd7eb7849627f34f2f1a3deb2ea73038562
                                                                              • Instruction Fuzzy Hash: 5051E632B1952ACBEB59BBACF8659EC77A1FF98325B40017BD109C72D7DE3464428780
                                                                              Function 00007FFD9B890B6F Relevance: .2, Instructions: 162COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2401038973.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8e5296534a7e3498d926c5d4fad4fe2836e1a676a38394fcdd3bbd0f267b3ef8
                                                                              • Instruction ID: 920f6f66edfeccd60b95c79b6c9ed733f3eecf476bc94d1ffd5877e3a5cefe6d
                                                                              • Opcode Fuzzy Hash: 8e5296534a7e3498d926c5d4fad4fe2836e1a676a38394fcdd3bbd0f267b3ef8
                                                                              • Instruction Fuzzy Hash: CF41C772B1992D8FDB48FBACE865AED77A1FF88311F40057AD109C72C6DE34A4468780
                                                                              Function 00007FFD9B890638 Relevance: .1, Instructions: 136COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2401038973.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 620a08b99f16ba76853cedcb4db366cf1135665e07740edd7754c7919be13788
                                                                              • Instruction ID: 3730446fe14c870bce40acf531200c62e36ddec3726c6d636540886be2ee52aa
                                                                              • Opcode Fuzzy Hash: 620a08b99f16ba76853cedcb4db366cf1135665e07740edd7754c7919be13788
                                                                              • Instruction Fuzzy Hash: 8531CA21B1C94D0FEB98EB6C5869679B6C2EF9C345F4405BAE05EC32DBDE58AC018341
                                                                              Function 00007FFD9B890D48 Relevance: .1, Instructions: 85COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2401038973.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bce9d4bddf8d53e7cea92d6e8fd0e420779e3f21c1a69826074087e2a5651765
                                                                              • Instruction ID: 7f693c13e688ea0a89e101f82a9341a71550836e8fcbb540fe4e9b619fa41634
                                                                              • Opcode Fuzzy Hash: bce9d4bddf8d53e7cea92d6e8fd0e420779e3f21c1a69826074087e2a5651765
                                                                              • Instruction Fuzzy Hash: FE216651F1490A4BFB98BBBC686A7FC72D2EF98711F504176E11DC32DADD28A8424351
                                                                              Function 00007FFD9B89086D Relevance: .1, Instructions: 77COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2401038973.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cdf4bcaa7b1e62b869680a4b117301e40602264d367a0f94429788632c909f9b
                                                                              • Instruction ID: 3cc03e6a6bdc2d1eed214f7ae2680034bebad45bebcfe4dd5fe848a41b56ad13
                                                                              • Opcode Fuzzy Hash: cdf4bcaa7b1e62b869680a4b117301e40602264d367a0f94429788632c909f9b
                                                                              • Instruction Fuzzy Hash: 8D218E357599494FE75CEB6CA4B99A9BF61FFC8200BC044A4D518C33CADE34A9118782
                                                                              Function 00007FFD9B8920B1 Relevance: .1, Instructions: 51COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2401038973.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4df101fc939312ebf8b6d614a87bab5e6cc04d7be7fc98e8132f69e97874776b
                                                                              • Instruction ID: c02802a74ea40ec7b5f1fbfb03a8e0771a67f410a4f6391046d162ba27fdf268
                                                                              • Opcode Fuzzy Hash: 4df101fc939312ebf8b6d614a87bab5e6cc04d7be7fc98e8132f69e97874776b
                                                                              • Instruction Fuzzy Hash: 5601CB61A0EA880FFB5AAB7C1C744357FE0DFC665070905BBE888C30E7D9086A81C393

                                                                              Executed Functions

                                                                              Function 00007FFD9B8916E9 Relevance: .5, Instructions: 523COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2481178734.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 135787584062b376695c3b9a4e691e8f1532fd384cc1d02dada3ab466f46fb1d
                                                                              • Instruction ID: 8b7c52c740845a1a7888450a87bc616de8c1da7566950c191994896ffb89033b
                                                                              • Opcode Fuzzy Hash: 135787584062b376695c3b9a4e691e8f1532fd384cc1d02dada3ab466f46fb1d
                                                                              • Instruction Fuzzy Hash: 40F1A470B29A495FEB9CFB7894696B97BD2FF88700F414579E40EC32D6DE28A8018741
                                                                              Function 00007FFD9B890E5E Relevance: .3, Instructions: 283COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2481178734.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ffbe995f5e4145485894beac7e48b22d5a01e06a2a3044ff8d4dd36b1468ac13
                                                                              • Instruction ID: 533b6c0a3f442c7689ef9f4400a4ab5993a830b721bfc98431e07e13bb517c74
                                                                              • Opcode Fuzzy Hash: ffbe995f5e4145485894beac7e48b22d5a01e06a2a3044ff8d4dd36b1468ac13
                                                                              • Instruction Fuzzy Hash: 6A81E712B1D6A60EE75AB77C78299E92F91DF8623870941FBD0CDCB1E7DC0868478352
                                                                              Function 00007FFD9B891EF9 Relevance: .2, Instructions: 194COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2481178734.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4e305ee2977d7ad6fd5261f397afe4880ad601a50ccc172923b9674b1d0bf92d
                                                                              • Instruction ID: b754aedbc0b2a8ec51be61a55c35d19a511d54cf91542cdd0bdb49150c3c5ad6
                                                                              • Opcode Fuzzy Hash: 4e305ee2977d7ad6fd5261f397afe4880ad601a50ccc172923b9674b1d0bf92d
                                                                              • Instruction Fuzzy Hash: B851F110B1E6C90FEB96AB785874675BFD5EF8B219B0800FAE09DC71E7DE185806C342
                                                                              Function 00007FFD9B8907F2 Relevance: 2.6, Strings: 2, Instructions: 108COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2481178734.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ;N_$<N_^
                                                                              • API String ID: 0-579182416
                                                                              • Opcode ID: 59205add5e129290e3f68aee27d61e10431347b83c8b81c377614b492bbb832a
                                                                              • Instruction ID: b1940b29563bff54e58cd5c9710b5a487a7e0bcd26f920d2014abbf2400b814d
                                                                              • Opcode Fuzzy Hash: 59205add5e129290e3f68aee27d61e10431347b83c8b81c377614b492bbb832a
                                                                              • Instruction Fuzzy Hash: 10412431B596494FD75DEBA8B8B89E4BFB0FF8821478044B6D019C73DBDD3499068781
                                                                              Function 00007FFD9B8910FA Relevance: 2.0, Strings: 1, Instructions: 701COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2481178734.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 3N_^
                                                                              • API String ID: 0-137238001
                                                                              • Opcode ID: d0a7232a4c51443f8d250ccfd7b83f8e1aabe3a07dbf32a07703d185ee6e98e1
                                                                              • Instruction ID: ca1bfcb43966d21ac324fc0d1038dee7b3e48836866aab2803f1f7192e46c9e4
                                                                              • Opcode Fuzzy Hash: d0a7232a4c51443f8d250ccfd7b83f8e1aabe3a07dbf32a07703d185ee6e98e1
                                                                              • Instruction Fuzzy Hash: 89910423F0D66A5BE72AB7ECB8655E9BF60EF85275B4901B7D189CB0E3DC1424068390
                                                                              Function 00007FFD9B8911F0 Relevance: 1.8, Strings: 1, Instructions: 574COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2481178734.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 2N_^
                                                                              • API String ID: 0-2962387604
                                                                              • Opcode ID: 1d7336faccaf8cb9178f91b985c449b8f5d2569c9afc3c212325b8cdc22df740
                                                                              • Instruction ID: d768f2eec2fe42d2960e907ea4ae1e8acaecac165b768404fc710b4f68299812
                                                                              • Opcode Fuzzy Hash: 1d7336faccaf8cb9178f91b985c449b8f5d2569c9afc3c212325b8cdc22df740
                                                                              • Instruction Fuzzy Hash: 7D51F462F0D56A4FEB1AB7ACB8765E97F70EF45224B4901B7D099DB0E3EC1424468380
                                                                              Function 00007FFD9B8911F2 Relevance: 1.8, Strings: 1, Instructions: 574COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2481178734.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 2N_^
                                                                              • API String ID: 0-2962387604
                                                                              • Opcode ID: 010f5a5df928ef5da3a27fbfd70dcfeeaf372bac8b0556eca5f566329c1ae649
                                                                              • Instruction ID: fcbabd0a6e5b29e4359ef0dda96c8d44e1c7e603651db2af6ed38eaf88476e5c
                                                                              • Opcode Fuzzy Hash: 010f5a5df928ef5da3a27fbfd70dcfeeaf372bac8b0556eca5f566329c1ae649
                                                                              • Instruction Fuzzy Hash: DA510622F0D66A4FDB1AB7ACB8755E97F70EF45224B4901B7D099D70E3EC1424068380
                                                                              Function 00007FFD9B890AFB Relevance: .2, Instructions: 209COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2481178734.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f91361155a8d696a8bd50ef87d43c49a34bd476c052d80077652ef3173afe0bf
                                                                              • Instruction ID: 29612217f8546240d0f8e80bd8fd5163b27dc996ab82697ca0f24cc3752a4f6d
                                                                              • Opcode Fuzzy Hash: f91361155a8d696a8bd50ef87d43c49a34bd476c052d80077652ef3173afe0bf
                                                                              • Instruction Fuzzy Hash: 0751D432B1952A8BDB59BBACF865AEC77A1FF98325B40017BD109C72D7DE3464428780
                                                                              Function 00007FFD9B890B6F Relevance: .2, Instructions: 162COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2481178734.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 752fffdc077e7f5e0a3c21561b3fe4e521cce0c5a915b4aaf192f7a8719804c6
                                                                              • Instruction ID: 8601c6f80be3ab3919dee1abe800b99f5575054ec1ab1e4cb2edc98e532124e0
                                                                              • Opcode Fuzzy Hash: 752fffdc077e7f5e0a3c21561b3fe4e521cce0c5a915b4aaf192f7a8719804c6
                                                                              • Instruction Fuzzy Hash: E741C972B1592D8FDB48FBA9E865AED77A1FF98311F80057AD009C72C6DE34A446C780
                                                                              Function 00007FFD9B890638 Relevance: .1, Instructions: 136COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2481178734.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fdcafbbb6e6a2835033af7d5c1d97f6f31262bc370b1cdb63cd6637312b51b74
                                                                              • Instruction ID: f049bef9b9789d218be93b5b669a8a8c7ca718153cd6be479971922df36d838f
                                                                              • Opcode Fuzzy Hash: fdcafbbb6e6a2835033af7d5c1d97f6f31262bc370b1cdb63cd6637312b51b74
                                                                              • Instruction Fuzzy Hash: 9231CA21B1C94D0FEB98EB6C5869679B6C2EF9C355F4405BAE05EC32DBDE58AC018341
                                                                              Function 00007FFD9B890D48 Relevance: .1, Instructions: 85COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2481178734.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bce9d4bddf8d53e7cea92d6e8fd0e420779e3f21c1a69826074087e2a5651765
                                                                              • Instruction ID: 7f693c13e688ea0a89e101f82a9341a71550836e8fcbb540fe4e9b619fa41634
                                                                              • Opcode Fuzzy Hash: bce9d4bddf8d53e7cea92d6e8fd0e420779e3f21c1a69826074087e2a5651765
                                                                              • Instruction Fuzzy Hash: FE216651F1490A4BFB98BBBC686A7FC72D2EF98711F504176E11DC32DADD28A8424351
                                                                              Function 00007FFD9B89086D Relevance: .1, Instructions: 77COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2481178734.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 79922fdc38255773300f6d2f6d8e4e4883b58771ad794ee9d33236b16ac721d8
                                                                              • Instruction ID: e128e9a5be6653a31ae9b5f011828e261b3b21104eadcd270c7c9998e4087af9
                                                                              • Opcode Fuzzy Hash: 79922fdc38255773300f6d2f6d8e4e4883b58771ad794ee9d33236b16ac721d8
                                                                              • Instruction Fuzzy Hash: 1B219035B5890D5FD75CEB69B4A99B9BF71FF88200BC144A4D41AC33CADD34A901C782
                                                                              Function 00007FFD9B8920B1 Relevance: .1, Instructions: 51COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000E.00000002.2481178734.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_14_2_7ffd9b890000_RuntimeBroker.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0b3d7d7a120f14e8b56a6f10d9c2245f7f29d0e2dcda460e7e6ee1b85f6260ae
                                                                              • Instruction ID: 2fa9945716a67a3d38b1197c29fdc9604ba3d33fe881f5c0de4040b04d7432e3
                                                                              • Opcode Fuzzy Hash: 0b3d7d7a120f14e8b56a6f10d9c2245f7f29d0e2dcda460e7e6ee1b85f6260ae
                                                                              • Instruction Fuzzy Hash: 3401C051A0EA840FFB5A9B782C744357FE0DFC565070505BBD484C30E7D9046A41C393